[dns-operations] Allowance for inaccurate clocks
bert hubert
bert.hubert at netherlabs.nl
Wed Mar 16 15:10:10 UTC 2011
On Wed, Mar 16, 2011 at 10:56:05AM -0400, Samuel Weiler wrote:
> Down this path lies madness. It always seems like a good idea, but
> it's a very slippery slope.
>
> The operational docs (e.g. 4341) tell signers to take care of this
> on their end. For the sake of sanity, don't try anything else.
"+1". If people want margin, let them do more signing for periods that
overlap more.
It is completely unlike the 'fudge' of TSIG, the fudge there basically
defines the expiry time.
But for RRSIGs we have an expire time already. No need to fudge it even
more.
Bert
More information about the dns-operations
mailing list