Strange tiny time limit RRSIG
Evan Hunt
each at isc.org
Fri Aug 14 23:18:48 UTC 2009
> I am still confused about the jitter window. I'm assuming the jitter
> windows is spread between -s (now-1h) plus -i value up to -e value ?
I have been corrected by my colleague Mark Andrews: I apparently misread
both the code and the doc. Apologies for the confusion.
I *thought* the jitter window straddled E on either side, giving you a
range of E-(J/2) to E+(J/2).
The truth is that E is a hard limit, so the range you get is E-J to E.
So, given E = S + 30d, and J = 30d, you're getting expiry times ranging
from S to E.
S, in this case, is an hour in the past. I guess that accounts for the
already-expired signatures you're finding.
Note that the cycle interval (-i) doesn't enter into this calcuation at
all.
> I am still not understanding either the preference for the default
> values nor the error of the values I picked..... I don't think the
> interaction between -i, -s, -e and -j is very clear to me.
There really isn't any interaction between -i and the others. All it says
is that when you're re-signing, if a signature will expire within the
time set by -i (or defaulting to 7.5 days if -i was not set), drop that
signature and sign the corresponding record again.
--
Evan Hunt -- each at isc.org
Internet Systems Consortium, Inc.
More information about the bind-users
mailing list