[Opendnssec-user] DNSKEY will expire in 11.6381365740741 days (kskwarn is 12.0)

Matthijs Mekking matthijs at nlnetlabs.nl
Tue Dec 17 08:04:35 UTC 2013 

Hi Volker,

On 12/12/2013 09:53 AM, Volker Janzen wrote:
> Hi Matthijs,
> 
>> If you set <Resign> to 12 days, the signer will sign the zone every
>> 12 days. That is not what you want I guess.
> 
> correct. I want it to happen more often.
> 
>> If you have a Refresh period of 3 days, a Resign period of 12 hours,
>> and a Signature Validity of 14 days, then you should let nagios check
>> that a signature does not expire within 10.5 days (14 - 3 - 0.5).

I must have been tired. Above is wrong. I meant to say that a signature
must be refreshed after 10.5 days. And I made a calculation error: it
should be 11.5 days (14 - (3-0.5)). A signature with these values should
not expire within 2.5 (3-0.5) days.

I am sorry for the confusion.

> My default policy contains since your email yesterday:
> 
> <Signatures>
>    <Resign>PT2H</Resign>
>    <Refresh>P3D</Refresh>
>    <Validity>
>       <Default>P14D</Default>
>       <Denial>P14D</Denial>
>    </Validity>
>    <Jitter>PT12H</Jitter>
>    <InceptionOffset>PT3600S</InceptionOffset>
> </Signatures>

If you want signatures to be refreshed 10 days before it expires, your
policy should say:

 <Signatures>
   <Resign>PT2H</Resign>
   <Refresh>P11D</Refresh>
   <Validity>
      <Default>P14D</Default>
      <Denial>P14D</Denial>
   </Validity>
   <Jitter>PT12H</Jitter>
   <InceptionOffset>PT3600S</InceptionOffset>
</Signatures>

This will make signatures be refreshed (14 - (11-0.2)) after about 3 days.

Best regards,
  Matthijs

> 
> The Nagios plugin is complaining again, as of the zone is still not
> getting fresh signatures:
> 
> dnssec_monitor.rb -z dnssec.cc --kskwarn 10 -n a.dnssecns.de
> 6 : Making resolver for : a.dnssecns.de, a.dnssecns.de
> 6 : Checking dnssec.cc zone on a.dnssecns.de(a.dnssecns.de) nameserver
> 6 : (a.dnssecns.de): Adding zsk : 64429
> 6 : (a.dnssecns.de): Adding ksk : 53095
> 6 : (a.dnssecns.de): dnssec.cc, DNSKEY verified OK
> 4 : (a.dnssecns.de): KSK(key_tag 53095): RRSIG for dnssec.cc,DNSKEY
> will expire in 9.68614583333333 days (kskwarn is 10.0)
> 6 : (a.dnssecns.de): dnssec.cc, SOA verified OK
> 6 : (a.dnssecns.de): dnssec.cc, NS verified OK
> 6 : (a.dnssecns.de): Checking non-existing domain for
> dklfjhwiouy4r9cefuyenwfuyenw.dnssec.cc, NS
> 6 : Finished checking on a.dnssecns.de(a.dnssecns.de)
> 
> The signing is still sheduled, but this is what I see every time, that
> the zone is signed in the next hour, but it's not, signatures are still
> going to expire.
> 
> ods-signer queue
> It is now Thu Dec 12 09:51:25 2013
> 
> I have 1 tasks scheduled.
> On Thu Dec 12 09:57:20 2013 I will [sign] zone dnssec.cc
> 
> 
> Volker
>

More information about the Opendnssec-user mailing list