[dns-operations] DNSSEC signatures expired for getdnsapi.org and getdnsapi.net
Willem Toorop
willem at nlnetlabs.nl
Mon Sep 18 09:21:44 UTC 2017
Op 18-09-17 om 09:42 schreef Viktor Dukhovni:
>
>> On Sep 18, 2017, at 3:32 AM, Willem Toorop <willem at nlnetlabs.nl> wrote:
>>
>> Oops... Consequence of a too hasty and uncareful software update.
>> I just started the signers again.
>
> I'd like to suggest monitoring. For my own domains, the alarms start
> going off 3 days before the signatures are due to expire. When automatic
> re-signing is working correctly no records ever get that close to
> expiration.
getdns did have basic monitoring, but because the project started
outside NLnet Labs with an external environment, it was not fully
integrated with our signing and monitoring infrastructure and the alert
not escalated according to standard.
I will move the monitoring (and signing) to our regular infrastructure
so it will be better monitored (by more people) in the future.
Sorry again,
-- Willem
More information about the dns-operations
mailing list