[dns-operations] Minimum clock skew tolerance?

Mark Andrews marka at isc.org
Thu May 25 04:26:24 UTC 2017


Named’s signers set the inception date to (now - 1 hour), by default, to allow
for clock skew.  I’ve been tempted to make that (now - 1 day).  Resigning should
be done days before the signatures expire.  They should be valid for at least
the SOA’s expire interval to handle replication issues. Validators really shouldn’t
have to add allowances for clock skew.

None of this is documented in any RFC.

Mark

> On 25 May 2017, at 2:05 pm, Viktor Dukhovni <ietf-dane at dukhovni.org> wrote:
> 
> 
> I just noticed that the SOA signature inception of the .mg TLD was over 30 minutes
> in the future.
> 
>   http://dnsviz.net/d/example.mg/WSZWvg/dnssec/
> 
> Perhaps it was even longer earlier, but I was not looking then.  Is +30 minutes
> within the expected tolerance of validating resolvers?  Is it poor practice?
> 
> DNSViz seems to regard that much clock skew as "bogus"...
> 
> -- 
> 	Viktor.
> 
> 
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations
> dns-operations mailing list
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka at isc.org





More information about the dns-operations mailing list