[dns-operations] Allowance for inaccurate clocks

Dave Knight dave at knig.ht
Wed Mar 16 14:50:27 UTC 2011

On 2011-03-16, at 5:51 AM, Chris Thompson wrote:

> On Mar 16 2011, George Barwood wrote:
>> When checking signature inception/expiration fields in DNSSEC, should
>> a validator make an allowance for small inaccuracies in clocks?
>> Or is this the job of the zone signer? I'm not aware anything in the
>> standard on this issue.
>> Anyone have views on how much allowance should be made?
> One data point: the BIND authors clearly think it is the responsibility
> of the signer. From the BIND ARM, in connection with automated signing:
> The signature inception time is unconditionally set to one hour
> before the current time to allow for a limited amount of clock skew.

OpenDNSSEC does the same thing, but it's configurable


<InceptionOffset> is a duration subtracted from the time at which a record is signed to give the start time of the record. This is required to allow for clock skew between the signing system and the system on which the signature is checked. Without it, the possibility exists that the checking system could retrieve a signature whose start time is later than the current time.

In the default policy this value is set to one hour.


More information about the dns-operations mailing list