Strange tiny time limit RRSIG

Paul Wouters paul at
Fri Aug 14 16:44:44 UTC 2009

On Fri, 14 Aug 2009, Evan Hunt wrote:

>> Im signing more or less hourly. My -i interval says "at least 1296000
>> seconds in the future" from start date "now - minus 1 hour" (because I
>> don't use "-s")
> Your -i flag says: if you're re-signing a zone that's already signed, any
> RRSIGs whose expiry times are less than 15 days in the future should be
> dropped and replaced with new RRSIGs.  (1296000 == 15 days)
> Your -e flag says, sign records with a base expiry time 30 days in the future.
> Your -j flag says, use a 30 day jitter window for the expiry times.  So now
> it's 30 days in the future, plus or minus 15 days.
> So, a few records end up with expiry 30-15=15 days in the future.  The next
> time you sign, because of the -i flag, they get resigned.  I don't think
> there's anything else going on here.

But I am getting the error that the signature is *expired*. Not that it is
being replaced because its only valid for 15 days - 1 hour in the future.

> I'd suggest dropping the -i flag or scaling down the size of the jitter
> window.  You can drop -e too, incidentally; since 30 days is already the
> default.

But I want to re-use signatures and use jitter. I'm using -e because
I'm allowing a configurable validity time. It just happens to be the
same as the default in this example.

> (By the way, in 9.7.0a2 the times no longer have to be specified in seconds;
> we added suffixes to specify hours, days, weeks, etc.  So you could be saying
> "-e 30d -i 10d -j 12h" or whatever.)

Awesome. It was on my own todo list as well, as we didn't want people
to need to calculate the number of seconds.

Anyway, please try and run two dnssec-signzone commands right after each
other using "-i 1296000 -j 2592000" and see if you also have one RRSIG
being expired.


More information about the bind-users mailing list