Strange tiny time limit RRSIG

Paul Wouters paul at
Sat Aug 15 19:53:18 UTC 2009

On Fri, 14 Aug 2009, Evan Hunt wrote:

> The truth is that E is a hard limit, so the range you get is E-J to E.
> So, given E = S + 30d, and J = 30d, you're getting expiry times ranging
> from S to E.
> S, in this case, is an hour in the past.  I guess that accounts for the
> already-expired signatures you're finding.
> Note that the cycle interval (-i) doesn't enter into this calcuation at
> all.

Okay. That clears things up. Is there a reason why the -i value cannot
be added to S? so that we get a range of s+i to e-j with e-j > s+i or
else we give an error (since we'd be signing without jitter while using "-j")

> There really isn't any interaction between -i and the others. All it says
> is that when you're re-signing, if a signature will expire within the
> time set by -i (or defaulting to 7.5 days if -i was not set), drop that
> signature and sign the corresponding record again.

It does not make much sense though, to generate signatures with the -j
paramter, that would get instantly replaced because of the -i parameter.


More information about the bind-users mailing list