On Aug 14 2009, Paul Wouters wrote:
I'm running into a strange issue where when signing a zone with re-using signatures, that sometimes 1 RRSIG record ends up with a validity time of almost nothing. This happens for instance when signing (and re-using sigs) using "-i 1296000 -e +2592000 -j 2592000" as part of the dnssec-signzone command.
If you set the jitter equal to the relative end time, you are spreading the expiry times uniformly between now and then, so you should expect a few of them to be be "almost nothing". You should be setting jitter so that the earliest expiry time is (comfortably) later than the next time you expect to resign the zone in the same way. (I am assuming that you are using offline signing only.) -- Chris Thompson Email: c...@cam.ac.uk _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
