[Opendnssec-develop] Signer Testplan: first try
Matthijs Mekking
matthijs at NLnetLabs.nl
Wed Apr 8 15:06:28 UTC 2009
Jakob Schlyter wrote:
> In my world, jitter is ABS(MAX(VARIANCE(signature expiration time))).
>
> so something like:
>
> signature expiration = calculated expiration time - jitter +
> (random(jitter) * 2)
>
> where random(x) is a function generating a random numberr such as 0 ≤ r
> ≤ x. this would generate a signature exception that can vary +/- some
> jitter number of seconds, right?
You just make it a whole lot more complex ;)
>> - Is random jitter acceptable?
>
> not only acceptable, it is required.
Is it? Where is that defined? Doing it modular instead of random gives
you a nicer expiration datetime spreading, imho.
>> 2. NSEC3PARAM TTL
>> Why do we need to configure the NSEC3PARAM TTL in signconf.xml? TTL for
>> NSEC3PARAM has no value because it is not used by resolvers or
>> validators.
>
> but it does need a TTL no? or do we always set it to X? if so, what is X?
Although it doesn't matter, I think TTL=0 makes sense (since caching is
not involved). Or SOA MIN, like with NSEC(3).
However, I think to configure something that does not matter, doesn't
make sense.
Matthijs
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 544 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090408/2ded1e2b/attachment.bin>
More information about the Opendnssec-develop
mailing list