It is not at this point emphasized anywhere, including on weakdh.org, that it is actually of high importance to regenerate your DH parameters frequently.
That's not really correct.
If you're using a prime of length at least 2048 bits, then the corresponding discrete-log problem is well-beyond the pre-computation ability of the NSA (or anyone else).
It is computationally intensive to generate such large primes, p (and corresponding base parameter, g). You need to ensure that p is actually prime (the costly step [1]) and that g is primitive.
Which is why most implementations have used shorter (<= 1024 bit) primes.
Using shorter primes, and regenerating DH parameters at regular intervals, is only a linear-time improvement. By contrast, generating longer DH parameters (without bothering to regenerate) is an EXPONENTIAL improvement in security.
So the best setting is to set ssl_dh_parameters_length as large as feasible ([2] recommends 2048 bits), and NOT to regenerate.
[1] http://en.wikipedia.org/wiki/Miller%E2%80%93Rabin_primality_test [2] https://weakdh.org/sysadmin.html