DNSSEC key rollover problems

Hugo Salgado hsalgado at nic.cl
Thu Dec 29 19:07:52 UTC 2011

On 12/28/2011 10:42 PM, Spain, Dr. Jeffry A. wrote:
> First of all is it correct that the time stamps shown by dig for RRSIG
> records are in local time? Otherwise, if the time stamps show UTC, then
> the RRSIG for jaspain.net SOA for ZSK 42152 was generated at
> 20111210230000, one hour prior to that key’s activation.

The timestamps are always in UTC. The hour in advance is called the
"inception time", and is a good practice to sign a record with an
inception time in the past. That way you allow it to be validated even
with resolvers with not a perfect clock synchronization.


More information about the bind-users mailing list