[dns-operations] Allowance for inaccurate clocks

Chris Thompson cet1 at cam.ac.uk
Wed Mar 16 12:51:45 UTC 2011

On Mar 16 2011, George Barwood wrote:

>When checking signature inception/expiration fields in DNSSEC, should
>a validator make an allowance for small inaccuracies in clocks?
>Or is this the job of the zone signer? I'm not aware anything in the
>standard on this issue.
>Anyone have views on how much allowance should be made?

One data point: the BIND authors clearly think it is the responsibility
of the signer. From the BIND ARM, in connection with automated signing:

  The signature inception time is unconditionally set to one hour
  before the current time to allow for a limited amount of clock skew.

Chris Thompson               University of Cambridge Computing Service,
Email: cet1 at ucs.cam.ac.uk    New Museums Site, Cambridge CB2 3QH,
Phone: +44 1223 334715       United Kingdom.

More information about the dns-operations mailing list