[dns-operations] Allowance for inaccurate clocks

Francis Dupont Francis.Dupont at fdupont.fr
Wed Mar 16 15:26:51 UTC 2011


 In your previous mail you wrote:

   Or is this the job of the zone signer?
   
=> it is.

   Anyone have views on how much allowance should be made?

=> in fact the problem is more likely to happen with the
inception date (this is why BIND9 dnssec-signzone uses by
default "now - 1 hour" and not "now" for it). It makes
signatures to fail to validate with a just signed zone,
so the one hour is very conservative for a real clock skew.

Regards

Francis.Dupont at fdupont.fr



More information about the dns-operations mailing list