[dns-operations] Minimum clock skew tolerance?

Olafur Gudmundsson ogud at ogud.com
Thu May 25 16:06:11 UTC 2017


> On May 25, 2017, at 12:26 AM, Mark Andrews <marka at isc.org> wrote:
> 
> Named’s signers set the inception date to (now - 1 hour), by default, to allow
> for clock skew.  I’ve been tempted to make that (now - 1 day).  Resigning should
> be done days before the signatures expire.  They should be valid for at least
> the SOA’s expire interval to handle replication issues. Validators really shouldn’t
> have to add allowances for clock skew.
> 

Cloudflare online generated signatures are valid for -25 H .. +25H
to avoid any problems with wrong time and day 


> None of this is documented in any RFC.

DNSSEC best practices ? 

Olafur





More information about the dns-operations mailing list