[dns-operations] .mm off the air for anyone who validates

Matthijs Mekking matthijs at nlnetlabs.nl
Tue Jan 22 09:57:55 UTC 2013

On 01/18/2013 04:06 PM, Chris Thompson wrote:
> On Jan 18 2013, Stephane Bortzmeyer wrote:
>> On Fri, Jan 18, 2013 at 09:08:37AM +1100,
>> Mark Andrews <marka at isc.org> wrote a message of 38 lines which said:
>>> .mm failed to re-sign their DNSKEY RRset.
>> Note that, because Unbound is tolerant by default ("10 % rule"),
>> Unbound users will see the problem only on Sunday:
> Is fudging the expiry times like that really a good idea? If all
> all validators allowed a 10% overrun, DNS operators would just
> get 10% sloppier and we would back where we started.

Note that this is Unbound setting is not about accepting sloppiness or
being extra tolerant. What people here refer to as the "10% rule" is
about mitigating the problem of clock skew and timezones. Also, these
values are capped: the minimum skew is 1 hour. That value has been
chosen to prevent problems caused by daylight savings differences. The
maximum is 24 hours. These settings can be adjusted in unbound.conf with
'val-sig-skew-min:' and 'val-sig-skew-max:'.

Best regards,

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 553 bytes
Desc: OpenPGP digital signature
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20130122/4ed21317/attachment.sig>

More information about the dns-operations mailing list