In message <alpine.lfd.1.10.0908141126400.26...@newtla.xelerance.com>, Paul Wou
ters writes:
> On Fri, 14 Aug 2009, Chris Thompson wrote:
>
> >> I'm running into a strange issue where when signing a zone with
> >> re-using signatures, that sometimes 1 RRSIG record ends up with
> >> a validity time of almost nothing. This happens for instance when
> >> signing (and re-using sigs) using "-i 1296000 -e +2592000 -j 2592000"
> >> as part of the dnssec-signzone command.
> >
> > If you set the jitter equal to the relative end time, you are spreading
> > the expiry times uniformly between now and then, so you should expect
> > a few of them to be be "almost nothing". You should be setting jitter
> > so that the earliest expiry time is (comfortably) later than the next
> > time you expect to resign the zone in the same way. (I am assuming that
> > you are using offline signing only.)
>
> Im signing more or less hourly. My -i interval says "at least 1296000 seconds
> in the future" from start date "now - minus 1 hour" (because I don't use "-s"
> )
>
> So as far as I can tell, I should always be more then fine on the lower
> time limit. That's why I'm suspecting a bug in the jitter code.
actual_end_time = endtime - jitter
where jitter is [0..jitter)
> Paul
> _______________________________________________
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
