Strange tiny time limit RRSIG
each at isc.org
Fri Aug 14 16:34:57 UTC 2009
> Im signing more or less hourly. My -i interval says "at least 1296000
> seconds in the future" from start date "now - minus 1 hour" (because I
> don't use "-s")
Your -i flag says: if you're re-signing a zone that's already signed, any
RRSIGs whose expiry times are less than 15 days in the future should be
dropped and replaced with new RRSIGs. (1296000 == 15 days)
Your -e flag says, sign records with a base expiry time 30 days in the future.
Your -j flag says, use a 30 day jitter window for the expiry times. So now
it's 30 days in the future, plus or minus 15 days.
So, a few records end up with expiry 30-15=15 days in the future. The next
time you sign, because of the -i flag, they get resigned. I don't think
there's anything else going on here.
I'd suggest dropping the -i flag or scaling down the size of the jitter
window. You can drop -e too, incidentally; since 30 days is already the
(By the way, in 9.7.0a2 the times no longer have to be specified in seconds;
we added suffixes to specify hours, days, weeks, etc. So you could be saying
"-e 30d -i 10d -j 12h" or whatever.)
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users