DNSSEC key rollover problems
hsalgado at nic.cl
Thu Dec 29 19:07:52 UTC 2011
On 12/28/2011 10:42 PM, Spain, Dr. Jeffry A. wrote:
> First of all is it correct that the time stamps shown by dig for RRSIG
> records are in local time? Otherwise, if the time stamps show UTC, then
> the RRSIG for jaspain.net SOA for ZSK 42152 was generated at
> 20111210230000, one hour prior to that key’s activation.
The timestamps are always in UTC. The hour in advance is called the
"inception time", and is a good practice to sign a record with an
inception time in the past. That way you allow it to be validated even
with resolvers with not a perfect clock synchronization.
More information about the bind-users