[dns-operations] Allowance for inaccurate clocks
cet1 at cam.ac.uk
Wed Mar 16 12:51:45 UTC 2011
On Mar 16 2011, George Barwood wrote:
>When checking signature inception/expiration fields in DNSSEC, should
>a validator make an allowance for small inaccuracies in clocks?
>Or is this the job of the zone signer? I'm not aware anything in the
>standard on this issue.
>Anyone have views on how much allowance should be made?
One data point: the BIND authors clearly think it is the responsibility
of the signer. From the BIND ARM, in connection with automated signing:
The signature inception time is unconditionally set to one hour
before the current time to allow for a limited amount of clock skew.
Chris Thompson University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715 United Kingdom.
More information about the dns-operations