On 01/18/2013 04:06 PM, Chris Thompson wrote:
> On Jan 18 2013, Stephane Bortzmeyer wrote:
>
>> On Fri, Jan 18, 2013 at 09:08:37AM +1100,
>> Mark Andrews <ma...@isc.org> wrote a message of 38 lines which said:
>>
>>> .mm failed to re-sign their DNSKEY RRset.
>>
>> Note that, because Unbound is tolerant by default ("10 % rule"),
>> Unbound users will see the problem only on Sunday:
>
> Is fudging the expiry times like that really a good idea? If all
> all validators allowed a 10% overrun, DNS operators would just
> get 10% sloppier and we would back where we started.Note that this is Unbound setting is not about accepting sloppiness or being extra tolerant. What people here refer to as the "10% rule" is about mitigating the problem of clock skew and timezones. Also, these values are capped: the minimum skew is 1 hour. That value has been chosen to prevent problems caused by daylight savings differences. The maximum is 24 hours. These settings can be adjusted in unbound.conf with 'val-sig-skew-min:' and 'val-sig-skew-max:'. Best regards, Matthijs
signature.asc
Description: OpenPGP digital signature
_______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
