<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META content="text/html; charset=GB2312" http-equiv=Content-Type>
<STYLE>
BLOCKQUOTE {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px; MARGIN-LEFT: 2em
}
OL {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
UL {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
P {
MARGIN-TOP: 0px; MARGIN-BOTTOM: 0px
}
BODY {
LINE-HEIGHT: 1.5; FONT-FAMILY: ËÎÌå; COLOR: #000080; FONT-SIZE: 10.5pt
}
</STYLE>
<META name=GENERATOR content="MSHTML 8.00.6001.18702"></HEAD>
<BODY style="MARGIN: 10px">
<DIV>
<DIV>>The signature inception time is a function of the current time and the</DIV>
<DIV>>inception offset. Is your InceptionOffset in the kasp.xml policy 9 hours?</DIV>
<DIV> </DIV>
<DIV>No, the InceptionOffset it 3600S, but the point is the signature inception
time is earlier not later than the current time,it the opposite.</DIV>
<DIV> </DIV>
<DIV>I signed a zone at 2012082119140544 or so, but the RRSIG SOA is:</DIV>
<DIV>example3. 300
IN RRSIG SOA 8 1 300 20120821130544
20120821101435 718 example3. RZsMib3Zx</DIV>
<DIV> </DIV>
<DIV>Once authoritative sever loads the zone data above, it will not get
authenticated by recursive sever with +dnssec flag.</DIV>
<DIV>The policy I used is as follows:</DIV>
<DIV>
<DIV> <Policy name="lab"></DIV>
<DIV> <Description>Quick turnaround policy for lab work</Description></DIV>
<DIV> <Signatures></DIV>
<DIV> <Resign>PT15M</Resign></DIV>
<DIV> <Refresh>PT30M</Refresh></DIV>
<DIV> <Validity></DIV>
<DIV> <Default>PT2H</Default></DIV>
<DIV> <Denial>PT1H</Denial></DIV>
<DIV> </Validity></DIV>
<DIV> <Jitter>PT10M</Jitter></DIV>
<DIV> <InceptionOffset>PT3600S</InceptionOffset></DIV>
<DIV> </Signatures></DIV>
<DIV> <Denial></DIV>
<DIV> <NSEC3></DIV>
<DIV> <OptOut/></DIV>
<DIV> <Resalt>P100D</Resalt></DIV>
<DIV> <Hash></DIV>
<DIV> <Algorithm>1</Algorithm></DIV>
<DIV> <Iterations>5</Iterations></DIV>
<DIV> <Salt length="8"/></DIV>
<DIV> </Hash></DIV>
<DIV> </NSEC3></DIV>
<DIV> </Denial></DIV>
<DIV> </DIV>
<DIV> <Keys></DIV>
<DIV> <!-- Parameters for both KSK and ZSK --></DIV>
<DIV> <TTL>PT3000S</TTL></DIV>
<DIV> <RetireSafety>PT360S</RetireSafety></DIV>
<DIV> <PublishSafety>PT360S</PublishSafety></DIV>
<DIV> <ShareKeys/></DIV>
<DIV> <Purge>P1D</Purge></DIV>
<DIV> </DIV>
<DIV> <!-- Parameters for KSK only --></DIV>
<DIV> <KSK></DIV>
<DIV> <Algorithm length="2048">8</Algorithm></DIV>
<DIV> <Lifetime>P1Y</Lifetime></DIV>
<DIV> <Repository>SoftHSM</Repository></DIV>
<DIV> </KSK></DIV>
<DIV> </DIV>
<DIV> <!-- Parameters for ZSK only --></DIV>
<DIV> <ZSK></DIV>
<DIV> <Algorithm length="1024">8</Algorithm></DIV>
<DIV> <Lifetime>PT4H</Lifetime></DIV>
<DIV> <Repository>SoftHSM</Repository></DIV>
<DIV> <!-- <ManualRollover/> --></DIV>
<DIV> </ZSK></DIV>
<DIV> </Keys></DIV>
<DIV> </DIV>
<DIV> <Zone></DIV>
<DIV> <PropagationDelay>PT300S</PropagationDelay></DIV>
<DIV> <SOA></DIV>
<DIV> <TTL>PT300S</TTL></DIV>
<DIV> <Minimum>PT300S</Minimum></DIV>
<DIV> <Serial>unixtime</Serial></DIV>
<DIV> </SOA></DIV>
<DIV> </Zone></DIV>
<DIV> </DIV>
<DIV> <Parent></DIV>
<DIV> <PropagationDelay>PT9999S</PropagationDelay></DIV>
<DIV> <DS></DIV>
<DIV> <TTL>PT3600S</TTL></DIV>
<DIV> </DS></DIV>
<DIV> <SOA></DIV>
<DIV> <TTL>PT172800S</TTL></DIV>
<DIV> <Minimum>PT10800S</Minimum></DIV>
<DIV> </SOA></DIV>
<DIV> </Parent></DIV>
<DIV> </DIV>
<DIV> </Policy></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV>Best regards,</DIV>
<DIV>Stuart</DIV></DIV>
<DIV> </DIV>
<DIV> </DIV>
<DIV> </DIV></DIV></BODY></HTML>