Strange tiny time limit RRSIG
Paul Wouters
paul at xelerance.com
Sat Aug 15 19:53:18 UTC 2009
On Fri, 14 Aug 2009, Evan Hunt wrote:
> The truth is that E is a hard limit, so the range you get is E-J to E.
>
> So, given E = S + 30d, and J = 30d, you're getting expiry times ranging
> from S to E.
>
> S, in this case, is an hour in the past. I guess that accounts for the
> already-expired signatures you're finding.
>
> Note that the cycle interval (-i) doesn't enter into this calcuation at
> all.
Okay. That clears things up. Is there a reason why the -i value cannot
be added to S? so that we get a range of s+i to e-j with e-j > s+i or
else we give an error (since we'd be signing without jitter while using "-j")
> There really isn't any interaction between -i and the others. All it says
> is that when you're re-signing, if a signature will expire within the
> time set by -i (or defaulting to 7.5 days if -i was not set), drop that
> signature and sign the corresponding record again.
It does not make much sense though, to generate signatures with the -j
paramter, that would get instantly replaced because of the -i parameter.
Paul
More information about the bind-users
mailing list