Strange tiny time limit RRSIG
Paul Wouters
paul at xelerance.com
Fri Aug 14 16:52:30 UTC 2009
On Fri, 14 Aug 2009, Chris Thompson wrote:
>> So as far as I can tell, I should always be more then fine on the lower
>> time limit. That's why I'm suspecting a bug in the jitter code.
>
> I think you misunderstand what -i does (or else I do!). If a signature
> expires
> more than 15 days into the future (with your settings) it is left alone. But
> if it expires sooner than that, it is replaced, using -s, -e, -j. There's
> nothing that stops the new expiry time being *earlier* than it was
> previously
I am under the impression that -i ensures that the minimum expiry *after jittering*
is still kept in place.
> if -j is set as large as you are. Obviously, that's not a sensible choice of
> options.
Why not? If I have 1.2M signatures, all of which have to be valid for at least
1w, at most 4w, and spread out equially over those 3w weeks, isn't that a
sensible choice?
> I would suggest that -j should be no more than 648000 (say), and
> certainly no more than 1296000.
Why no more then 1w? And why certinaly no more then 2w?
> For testing the uniform distribution, and seeing just how many new signatures
> are almost due to expire when created, I suggest
The distribution seems fine, but let me know if I'm wrong. See:
http://www.xelerance.com/cira/
Paul
More information about the bind-users
mailing list