On Fri, 14 Aug 2009, Evan Hunt wrote:
Im signing more or less hourly. My -i interval says "at least 1296000
seconds in the future" from start date "now - minus 1 hour" (because I
don't use "-s")
Your -i flag says: if you're re-signing a zone that's already signed, any
RRSIGs whose expiry times are less than 15 days in the future should be
dropped and replaced with new RRSIGs. (1296000 == 15 days)
Your -e flag says, sign records with a base expiry time 30 days in the future.
Your -j flag says, use a 30 day jitter window for the expiry times. So now
it's 30 days in the future, plus or minus 15 days.
So, a few records end up with expiry 30-15=15 days in the future. The next
time you sign, because of the -i flag, they get resigned. I don't think
there's anything else going on here.
But I am getting the error that the signature is *expired*. Not that it is
being replaced because its only valid for 15 days - 1 hour in the future.
I'd suggest dropping the -i flag or scaling down the size of the jitter
window. You can drop -e too, incidentally; since 30 days is already the
default.
But I want to re-use signatures and use jitter. I'm using -e because
I'm allowing a configurable validity time. It just happens to be the
same as the default in this example.
(By the way, in 9.7.0a2 the times no longer have to be specified in seconds;
we added suffixes to specify hours, days, weeks, etc. So you could be saying
"-e 30d -i 10d -j 12h" or whatever.)
Awesome. It was on my own todo list as well, as we didn't want people
to need to calculate the number of seconds.
Anyway, please try and run two dnssec-signzone commands right after each
other using "-i 1296000 -j 2592000" and see if you also have one RRSIG
being expired.
Paul
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
