Strange tiny time limit RRSIG

Evan Hunt each at isc.org
Fri Aug 14 16:34:57 UTC 2009


> Im signing more or less hourly. My -i interval says "at least 1296000
> seconds in the future" from start date "now - minus 1 hour" (because I
> don't use "-s")

Your -i flag says: if you're re-signing a zone that's already signed, any
RRSIGs whose expiry times are less than 15 days in the future should be
dropped and replaced with new RRSIGs.  (1296000 == 15 days)

Your -e flag says, sign records with a base expiry time 30 days in the future.

Your -j flag says, use a 30 day jitter window for the expiry times.  So now
it's 30 days in the future, plus or minus 15 days.

So, a few records end up with expiry 30-15=15 days in the future.  The next
time you sign, because of the -i flag, they get resigned.  I don't think
there's anything else going on here.

I'd suggest dropping the -i flag or scaling down the size of the jitter
window.  You can drop -e too, incidentally; since 30 days is already the
default.

(By the way, in 9.7.0a2 the times no longer have to be specified in seconds;
we added suffixes to specify hours, days, weeks, etc.  So you could be saying
"-e 30d -i 10d -j 12h" or whatever.)

--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.



More information about the bind-users mailing list