[dns-operations] Allowance for inaccurate clocks

Jan-Piet Mens jpmens.dns at gmail.com
Wed Mar 16 12:06:48 UTC 2011


> When checking signature inception/expiration fields in DNSSEC, should a validator
> make an allowance for small inaccuracies in clocks?

I'm not aware of a standard either.
Unbound makes it configurable:

        # The signature inception and expiration dates are allowed to be off
        # by 10% of the signature lifetime (expir-incep) from our local clock.
        # This leeway is capped with a minimum and a maximum.  In seconds.
        # val-sig-skew-min: 3600
        # val-sig-skew-max: 86400

Regards,

        -JP



More information about the dns-operations mailing list