[dns-operations] Minimum clock skew tolerance?
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu May 25 16:22:26 UTC 2017
> On May 25, 2017, at 12:06 PM, Olafur Gudmundsson <ogud at ogud.com> wrote:
>
>> Named’s signers set the inception date to (now - 1 hour), by default, to allow
>> for clock skew. I’ve been tempted to make that (now - 1 day). Resigning should
>> be done days before the signatures expire. They should be valid for at least
>> the SOA’s expire interval to handle replication issues. Validators really shouldn’t
>> have to add allowances for clock skew.
>>
>
> Cloudflare online generated signatures are valid for -25 H .. +25H
> to avoid any problems with wrong time and day
And yet it seems that unbound needed work-arounds:
val-sig-skew-min: <seconds>
Minimum number of seconds of clock skew to apply to validated
signatures. A value of 10% of the signature lifetime (expira-
tion - inception) is used, capped by this setting. Default is
3600 (1 hour) which allows for daylight savings differences.
Lower this value for more strict checking of short lived signa-
tures.
val-sig-skew-max: <seconds>
Maximum number of seconds of clock skew to apply to validated
signatures. A value of 10% of the signature lifetime (expira-
tion - inception) is used, capped by this setting. Default is
86400 (24 hours) which allows for timezone setting problems in
stable domains. Setting both min and max very low disables the
clock skew allowances. Setting both min and max very high makes
the validator check the signature timestamps less strictly.
I ran into the ".mg" anomaly after lowering these to 20 minutes, to see what
the impact would be.
>> None of this is documented in any RFC.
>
> DNSSEC best practices ?
Yes, I have another issue up my sleeve that will require attention to signer
practices.
--
Viktor.
More information about the dns-operations
mailing list