[dns-operations] Minimum clock skew tolerance?

Viktor Dukhovni ietf-dane at dukhovni.org
Thu May 25 04:05:37 UTC 2017


I just noticed that the SOA signature inception of the .mg TLD was over 30 minutes
in the future.

   http://dnsviz.net/d/example.mg/WSZWvg/dnssec/

Perhaps it was even longer earlier, but I was not looking then.  Is +30 minutes
within the expected tolerance of validating resolvers?  Is it poor practice?

DNSViz seems to regard that much clock skew as "bogus"...

-- 
	Viktor.





More information about the dns-operations mailing list