Strange tiny time limit RRSIG

Paul Wouters paul at
Fri Aug 14 16:52:30 UTC 2009

On Fri, 14 Aug 2009, Chris Thompson wrote:

>> So as far as I can tell, I should always be more then fine on the lower
>> time limit. That's why I'm suspecting a bug in the jitter code.
> I think you misunderstand what -i does (or else I do!). If a signature 
> expires
> more than 15 days into the future (with your settings) it is left alone. But
> if it expires sooner than that, it is replaced, using -s, -e, -j. There's
> nothing that stops the new expiry time being *earlier* than it was 
> previously

I am under the impression that -i ensures that the minimum expiry *after jittering*
is still kept in place.

> if -j is set as large as you are. Obviously, that's not a sensible choice of
> options.

Why not? If I have 1.2M signatures, all of which have to be valid for at least
1w, at most 4w, and spread out equially over those 3w weeks, isn't that a
sensible choice?

> I would suggest that -j should be no more than 648000 (say), and
> certainly no more than 1296000.

Why no more then 1w? And why certinaly no more then 2w?

> For testing the uniform distribution, and seeing just how many new signatures
> are almost due to expire when created, I suggest

The distribution seems fine, but let me know if I'm wrong. See:


More information about the bind-users mailing list