> I am still confused about the jitter window. I'm assuming the jitter > windows is spread between -s (now-1h) plus -i value up to -e value ?
I have been corrected by my colleague Mark Andrews: I apparently misread both the code and the doc. Apologies for the confusion. I *thought* the jitter window straddled E on either side, giving you a range of E-(J/2) to E+(J/2). The truth is that E is a hard limit, so the range you get is E-J to E. So, given E = S + 30d, and J = 30d, you're getting expiry times ranging from S to E. S, in this case, is an hour in the past. I guess that accounts for the already-expired signatures you're finding. Note that the cycle interval (-i) doesn't enter into this calcuation at all. > I am still not understanding either the preference for the default > values nor the error of the values I picked..... I don't think the > interaction between -i, -s, -e and -j is very clear to me. There really isn't any interaction between -i and the others. All it says is that when you're re-signing, if a signature will expire within the time set by -i (or defaulting to 7.5 days if -i was not set), drop that signature and sign the corresponding record again. -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
