[dns-operations] Allowance for inaccurate clocks
jpmens.dns at gmail.com
Wed Mar 16 12:06:48 UTC 2011
> When checking signature inception/expiration fields in DNSSEC, should a validator
> make an allowance for small inaccuracies in clocks?
I'm not aware of a standard either.
Unbound makes it configurable:
# The signature inception and expiration dates are allowed to be off
# by 10% of the signature lifetime (expir-incep) from our local clock.
# This leeway is capped with a minimum and a maximum. In seconds.
# val-sig-skew-min: 3600
# val-sig-skew-max: 86400
More information about the dns-operations