-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I have seen this too one time, but in my case OpenDNSSEC did it right, it was a secondary name server that was not updated properly (e.g. running a previous serial of the zone) and that's why nagios complained.
You can remove signatures with > ods-signer clear <zone> This will clear the internal storage of that zone. Then run > ods-signer sign <zone> to immediately sign the zone again. Best regards, Matthijs On 07/04/2012 04:27 PM, Bas van den Dikkenberg wrote: > Is there way to remove the expired sigs bye hand ? > > > -----Oorspronkelijk bericht----- Van: Scott Armitage > [mailto:[email protected]] Verzonden: woensdag 4 juli 2012 > 15:56 Aan: Bas van den Dikkenberg CC: > [email protected] Onderwerp: Re: > [Opendnssec-user] RRSIG for hobby.nl expires soon > > > On 4 Jul 2012, at 14:40, Bas van den Dikkenberg wrote: > >> Hi i have problem with rrsig's that are expiring. >> >> In the kaspl it states that the rrsig's must be refresh 3d before >> they expire. But opendnssec doesn't refresh them. >> >> This is in my kaspl.xml >> >> <Signatures> <Resign>PT2H</Resign> <Refresh>P3D</Refresh> >> <Validity> <Default>P7D</Default> <Denial>P7D</Denial> >> </Validity> <Jitter>PT12H</Jitter> >> <InceptionOffset>PT3600S</InceptionOffset> </Signatures> >> >> >> >> But nagios reports: WARNING: check_dnssec_expiration - RRSIG for >> hobby.nl expires soon (20120705141400). >> >> Any sugestions ? >> > > > I have noticed the same problem. I have had time to look into so > hadn't posted to the list. Whilst ODS never lets the signatures > expire, it does seem to operate outside of its refresh window. > > > > Scott Armitage Loughborough University > _______________________________________________ Opendnssec-user > mailing list [email protected] > https://lists.opendnssec.org/mailman/listinfo/opendnssec-user > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJP9UyXAAoJEA8yVCPsQCW5u7kH/2v//qo9peqjEjetb1K9JnhX pKhhlzcohIs00+REbjn7QO/QlZzLmkHvPZ/Nq5L+HX0y47Yr2sPG/lCer1ID5uPX lwaJ03oMapoM8URVdSQun1VkEseoWv81C7nDQbhZatPzDH0S3oBABFsTcuc9/bkU 5H04u83x+cs7Iv2bNf3Lo3DwPn68L5XMCnQM/UOrzwIfzFbsS47tEgYmkGefESZn NTwcPpiUbGZh8EOC5fK7u/97cQhJAidyqpdBuoP5uKLYD3GgqmGmAszFo6YEN9ZD SK07XZxpLHJkSbqi+VJeeXFhSr9Qf+OFU7cR52cXasfQbzTaWlQ+KuOgprxFr8U= =EjjV -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
