Hi Matthijs, > Because a pictures says more than a thousand words, I would like to > point to: > > https://wiki.opendnssec.org/display/DOCS/kasp.xml > > Thus nagios should complain when the signature expires in less than 3 > days. Actually: less than 3 days minus the resign period so 3 days minus > 2 hours.
I think I understand my problem now. In my own words: all signatures are set to have a validity of 14 days - the period I want to check in Nagios. This does not work, because only signatures are re-generated, that are going to expire in the resign period. If I set the resign to e.g. 12 days, the signer will resign the whole zone every two days. This will consume more CPU and scale bad with many zones. If I just have a few zones, I can set signature validity to 14, Resign to 10. This will cause all 4 days a resign. Signature expire should not fall below 10 days with this (minus 3 hours). Correct? So e.g. nine days would be safe to check in Nagios. Volker _______________________________________________ Opendnssec-user mailing list Opendnssec-user@lists.opendnssec.org https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
