Strange tiny time limit RRSIG

Evan Hunt each at isc.org
Fri Aug 14 23:18:48 UTC 2009


> I am still confused about the jitter window. I'm assuming the jitter
> windows is spread between -s (now-1h)  plus -i value up to -e value ?

I have been corrected by my colleague Mark Andrews: I apparently misread
both the code and the doc.  Apologies for the confusion.

I *thought* the jitter window straddled E on either side, giving you a
range of E-(J/2) to E+(J/2).

The truth is that E is a hard limit, so the range you get is E-J to E.

So, given E = S + 30d, and J = 30d, you're getting expiry times ranging
from S to E.

S, in this case, is an hour in the past.  I guess that accounts for the
already-expired signatures you're finding.

Note that the cycle interval (-i) doesn't enter into this calcuation at
all.

> I am still not understanding either the preference for the default
> values nor the error of the values I picked..... I don't think the
> interaction between -i, -s, -e and -j is very clear to me.

There really isn't any interaction between -i and the others. All it says
is that when you're re-signing, if a signature will expire within the
time set by -i (or defaulting to 7.5 days if -i was not set), drop that
signature and sign the corresponding record again.

-- 
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.



More information about the bind-users mailing list