[dns-operations] Allowance for inaccurate clocks

bert hubert bert.hubert at netherlabs.nl
Wed Mar 16 15:10:10 UTC 2011


On Wed, Mar 16, 2011 at 10:56:05AM -0400, Samuel Weiler wrote:
> Down this path lies madness.  It always seems like a good idea, but
> it's a very slippery slope.
> 
> The operational docs (e.g. 4341) tell signers to take care of this
> on their end.  For the sake of sanity, don't try anything else.

"+1". If people want margin, let them do more signing for periods that
overlap more.

It is completely unlike the 'fudge' of TSIG, the fudge there basically
defines the expiry time. 

But for RRSIGs we have an expire time already. No need to fudge it even
more.

	Bert



More information about the dns-operations mailing list