Strange tiny time limit RRSIG
Paul Wouters
paul at xelerance.com
Fri Aug 14 15:28:52 UTC 2009
On Fri, 14 Aug 2009, Chris Thompson wrote:
>> I'm running into a strange issue where when signing a zone with
>> re-using signatures, that sometimes 1 RRSIG record ends up with
>> a validity time of almost nothing. This happens for instance when
>> signing (and re-using sigs) using "-i 1296000 -e +2592000 -j 2592000"
>> as part of the dnssec-signzone command.
>
> If you set the jitter equal to the relative end time, you are spreading
> the expiry times uniformly between now and then, so you should expect
> a few of them to be be "almost nothing". You should be setting jitter
> so that the earliest expiry time is (comfortably) later than the next
> time you expect to resign the zone in the same way. (I am assuming that
> you are using offline signing only.)
Im signing more or less hourly. My -i interval says "at least 1296000 seconds
in the future" from start date "now - minus 1 hour" (because I don't use "-s")
So as far as I can tell, I should always be more then fine on the lower
time limit. That's why I'm suspecting a bug in the jitter code.
Paul
More information about the bind-users
mailing list