proper setup of dnssec-validation to _always_ resolve, and retrieve DATA and status flags ?

Mark Andrews marka at isc.org
Tue May 10 06:58:25 UTC 2011


In message <1305008349.11252.1450182761 at webmail.messagingengine.com>, "" writes
:
> 
> 
> On Tue, 10 May 2011 16:15 +1000, "Mark Andrews" <marka at isc.org> wrote:
> > > looks good, right?
> > 
> > yes.
> 
> MANY thanks!  i wouldn't have easily found this ...
> 
> > DNSSEC only needs wristwatch time accuracy however it is easy to
> > get the time wrong if the server is configured in the wrong timezone.
> > The error was equal to the local time offset from UTC which indicates
> > it was running in UTC but set with the local time.
> 
> not sure how to read that.  now that my time's correct again, can/should
> I leave the server as is?  or is there a specific recommendation for
> time setup on a DNS server?

"date -u" may now be correct but is plain "date"?   If it isn't you
should correct timezone for the server so that both "date" and "date
-u" are correct.  Otherwise you leave the server open to the
accidental misconfiguration that probably caused this problem in
the first place.

> Thanks again,
> 
> DCh
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org



More information about the bind-users mailing list