Strange tiny time limit RRSIG

Paul Wouters paul at xelerance.com
Fri Aug 14 15:28:52 UTC 2009


On Fri, 14 Aug 2009, Chris Thompson wrote:

>> I'm running into a strange issue where when signing a zone with
>> re-using signatures, that sometimes 1 RRSIG record ends up with
>> a validity time of almost nothing. This happens for instance when
>> signing (and re-using sigs) using "-i 1296000  -e +2592000 -j 2592000"
>> as part of the dnssec-signzone command.
>
> If you set the jitter equal to the relative end time, you are spreading
> the expiry times uniformly between now and then, so you should expect
> a few of them to be be "almost nothing". You should be setting jitter
> so that the earliest expiry time is (comfortably) later than the next
> time you expect to resign the zone in the same way. (I am assuming that
> you are using offline signing only.)

Im signing more or less hourly. My -i interval says "at least 1296000 seconds
in the future" from start date "now - minus 1 hour" (because I don't use "-s")

So as far as I can tell, I should always be more then fine on the lower
time limit. That's why I'm suspecting a bug in the jitter code.

Paul



More information about the bind-users mailing list