On Fri, 14 Aug 2009, Chris Thompson wrote:
So as far as I can tell, I should always be more then fine on the lower
time limit. That's why I'm suspecting a bug in the jitter code.
I think you misunderstand what -i does (or else I do!). If a signature
expires
more than 15 days into the future (with your settings) it is left alone. But
if it expires sooner than that, it is replaced, using -s, -e, -j. There's
nothing that stops the new expiry time being *earlier* than it was
previously
I am under the impression that -i ensures that the minimum expiry *after
jittering*
is still kept in place.
if -j is set as large as you are. Obviously, that's not a sensible choice of
options.
Why not? If I have 1.2M signatures, all of which have to be valid for at least
1w, at most 4w, and spread out equially over those 3w weeks, isn't that a
sensible choice?
I would suggest that -j should be no more than 648000 (say), and
certainly no more than 1296000.
Why no more then 1w? And why certinaly no more then 2w?
For testing the uniform distribution, and seeing just how many new signatures
are almost due to expire when created, I suggest
The distribution seems fine, but let me know if I'm wrong. See:
http://www.xelerance.com/cira/
Paul
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
