[dns-operations] Minimum clock skew tolerance?
Olafur Gudmundsson
ogud at ogud.com
Thu May 25 16:06:11 UTC 2017
> On May 25, 2017, at 12:26 AM, Mark Andrews <marka at isc.org> wrote:
>
> Named’s signers set the inception date to (now - 1 hour), by default, to allow
> for clock skew. I’ve been tempted to make that (now - 1 day). Resigning should
> be done days before the signatures expire. They should be valid for at least
> the SOA’s expire interval to handle replication issues. Validators really shouldn’t
> have to add allowances for clock skew.
>
Cloudflare online generated signatures are valid for -25 H .. +25H
to avoid any problems with wrong time and day
> None of this is documented in any RFC.
DNSSEC best practices ?
Olafur
More information about the dns-operations
mailing list