Hi Volker, On 10-12-13 13:10, Volker Janzen wrote:
Hi Matthijs,Because a pictures says more than a thousand words, I would like to point to: https://wiki.opendnssec.org/display/DOCS/kasp.xml Thus nagios should complain when the signature expires in less than 3 days. Actually: less than 3 days minus the resign period so 3 days minus 2 hours.I think I understand my problem now. In my own words: all signatures are set to have a validity of 14 days - the period I want to check in Nagios. This does not work, because only signatures are re-generated, that are going to expire in the resign period. If I set the resign to e.g. 12 days, the signer will resign the whole zone every two days. This will consume more CPU and scale bad with many zones.
If you set <Resign> to 12 days, the signer will sign the zone every 12 days. That is not what you want I guess.
If I just have a few zones, I can set signature validity to 14, Resign to 10. This will cause all 4 days a resign. Signature expire should not fall below 10 days with this (minus 3 hours). Correct? So e.g. nine days would be safe to check in Nagios.
You haven't talked about Refresh yet. At least the Refresh period should be higher than the Resign period. I think a Resign period of 4 days is quite high. I would make it a couple of hours.
The Refresh period allows you to regenerate signatures a time before it will expire. This is usually set to a value that it takes to resolve issues with the signer system, plus the weekend. So the Refresh period is usually a few days.
If you have a Refresh period of 3 days, a Resign period of 12 hours, and a Signature Validity of 14 days, then you should let nagios check that a signature does not expire within 10.5 days (14 - 3 - 0.5).
Best regards, Matthijs
Volker
_______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
