[dns-operations] Allowance for inaccurate clocks
Francis Dupont
Francis.Dupont at fdupont.fr
Wed Mar 16 15:26:51 UTC 2011
In your previous mail you wrote:
Or is this the job of the zone signer?
=> it is.
Anyone have views on how much allowance should be made?
=> in fact the problem is more likely to happen with the
inception date (this is why BIND9 dnssec-signzone uses by
default "now - 1 hour" and not "now" for it). It makes
signatures to fail to validate with a just signed zone,
so the one hour is very conservative for a real clock skew.
Regards
Francis.Dupont at fdupont.fr
More information about the dns-operations
mailing list