[dns-operations] Allowance for inaccurate clocks

Mark Andrews marka at isc.org
Thu Mar 17 03:47:34 UTC 2011

In message <20110317023456.GG15369 at x27.adm.denic.de>, Peter Koch writes:
> On Wed, Mar 16, 2011 at 06:50:04PM -0400, Olafur Gudmundsson wrote:
> > I agree with Mark, here 1 day in the past is a good time for signature
> > initiation time.
> while I cannot see a specific reason to be too strict with the inception
> time, the logic re: clock fuzz would hold in the opposite direction, i.e.
> whereever you'd have remaining RRSIG lifetimes of n days, you'd have to accou
> nt
> for n+1 days instead.  Not sure I buy that.

As for the other direction you should be {re-}signing the records so
that the secondaries can continue to serve good data up until they
expire the zone.   If expire is set at 7 days you really need to
be {re-}signing the zone such that all records have a minimum of 8
days of validity at all times.

> -Peter
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka at isc.org

More information about the dns-operations mailing list