dnssec-keygen & dnssec-signzone "smart signing" vs time zones

Mark Andrews marka at isc.org
Thu Apr 29 03:22:06 UTC 2010 

In message <Pine.GSO.4.55.1004281958000.11178 at loogie.intranet.csupomona.edu>, "
Paul B. Henson" writes:
> On Wed, 28 Apr 2010, Mark Andrews wrote:
> 
> > The .private timestamps are in UTC and that is what is used for key
> > management.  The .key values are just comments.  You should be able to
> > work out my current offset from UTC.
> >
> > % grep Created Klllll.+005+59421.*
> > Klllll.+005+59421.key:; Created: Thu Apr 29 11:10:24 2010
> > Klllll.+005+59421.private:Created: 20100429011024
> 
> Ah, ok, that makes more sense, thanks.
> 
> It might help prevent confusion if the documentation was more clear on time
> handling; I might have missed it but I didn't see anything explaining time
> was stored in UTC, or that times provided on the command line were
> considered to be in UTC. That last bit isn't very intuitive, typically when
> time is specified like that it's relative to your time zone. I guess I'll
> need to convert the time I want relative to my time zone to UTC and pass
> that on the command line instead.

Would something like this be better?  Do you need a UTC after the timestamp.
Note: now + delta is timezone agnostic.

; This is a zone-signing key, keyid 26628, for kij.
; Created: 20100429025050 (Thu Apr 29 12:50:50 2010)
; Publish: 20100429025050 (Thu Apr 29 12:50:50 2010)
; Activate: 20100429025050 (Thu Apr 29 12:50:50 2010)
kij. IN DNSKEY 256 3 5 AwEAAb6VYqE8stYu19VmT2nmeJd+xKKKA7u+FqVpCWmop8UoEba/4zmM
BkjfueTtWTAo2qsyX9mW10B48M+slzk3HPGLvCDP5U6iKQWQvtEm4k6/ ml0Xzvnjfc36ynQK4IuffGz
FSsYenr01qF+SGizP2pb2LIWYIjyKamYG 34+0c1/5

>From dnssec-signzone

       -s start-time
           Specify the date and time when the generated RRSIG records become
           valid. This can be either an absolute or relative time. An absolute
           start time is indicated by a number in YYYYMMDDHHMMSS notation;
           20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative
           start time is indicated by +N, which is N seconds from the current
           time. If no start-time is specified, the current time minus 1 hour
           (to allow for clock skew) is used.

Mark

> -- 
> Paul B. Henson  |  (909) 979-6361  |  http://www.csupomona.edu/~henson/
> Operating Systems and Network Analyst  |  henson at csupomona.edu
> California State Polytechnic University  |  Pomona CA 91768
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the bind-users mailing list