Strange tiny time limit RRSIG

Mark Andrews marka at isc.org
Fri Aug 14 21:46:01 UTC 2009


In message <alpine.LFD.1.10.0908141126400.26106 at newtla.xelerance.com>, Paul Wou
ters writes:
> On Fri, 14 Aug 2009, Chris Thompson wrote:
> 
> >> I'm running into a strange issue where when signing a zone with
> >> re-using signatures, that sometimes 1 RRSIG record ends up with
> >> a validity time of almost nothing. This happens for instance when
> >> signing (and re-using sigs) using "-i 1296000  -e +2592000 -j 2592000"
> >> as part of the dnssec-signzone command.
> >
> > If you set the jitter equal to the relative end time, you are spreading
> > the expiry times uniformly between now and then, so you should expect
> > a few of them to be be "almost nothing". You should be setting jitter
> > so that the earliest expiry time is (comfortably) later than the next
> > time you expect to resign the zone in the same way. (I am assuming that
> > you are using offline signing only.)
> 
> Im signing more or less hourly. My -i interval says "at least 1296000 seconds
> in the future" from start date "now - minus 1 hour" (because I don't use "-s"
> )
> 
> So as far as I can tell, I should always be more then fine on the lower
> time limit. That's why I'm suspecting a bug in the jitter code.

	actual_end_time = endtime - jitter

	where jitter is [0..jitter)
 
> Paul
> _______________________________________________
> bind-users mailing list
> bind-users at lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list