On Fri, 14 Aug 2009, Chris Thompson wrote:
I'm running into a strange issue where when signing a zone with
re-using signatures, that sometimes 1 RRSIG record ends up with
a validity time of almost nothing. This happens for instance when
signing (and re-using sigs) using "-i 1296000 -e +2592000 -j 2592000"
as part of the dnssec-signzone command.
If you set the jitter equal to the relative end time, you are spreading
the expiry times uniformly between now and then, so you should expect
a few of them to be be "almost nothing". You should be setting jitter
so that the earliest expiry time is (comfortably) later than the next
time you expect to resign the zone in the same way. (I am assuming that
you are using offline signing only.)
Im signing more or less hourly. My -i interval says "at least 1296000 seconds
in the future" from start date "now - minus 1 hour" (because I don't use "-s")
So as far as I can tell, I should always be more then fine on the lower
time limit. That's why I'm suspecting a bug in the jitter code.
Paul
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
