[Opendnssec-develop] Signer Testplan: first try

Matthijs Mekking matthijs at NLnetLabs.nl
Wed Apr 8 15:06:28 UTC 2009

Jakob Schlyter wrote:
> In my world, jitter is ABS(MAX(VARIANCE(signature expiration time))).
> so something like:
>   signature expiration = calculated expiration time - jitter +
> (random(jitter) * 2)
> where random(x) is a function generating a random numberr such as 0 ≤ r
> ≤ x. this would generate a signature exception that can vary +/- some
> jitter number of seconds, right?

You just make it a whole lot more complex ;)

>> - Is random jitter acceptable?
> not only acceptable, it is required.

Is it? Where is that defined? Doing it modular instead of random gives
you a nicer expiration datetime spreading, imho.

>> Why do we need to configure the NSEC3PARAM TTL in signconf.xml? TTL for
>> NSEC3PARAM has no value because it is not used by resolvers or
>> validators.
> but it does need a TTL no? or do we always set it to X? if so, what is X?

Although it doesn't matter, I think TTL=0 makes sense (since caching is
not involved). Or SOA MIN, like with NSEC(3).

However, I think to configure something that does not matter, doesn't
make sense.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 544 bytes
Desc: OpenPGP digital signature
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20090408/2ded1e2b/attachment.bin>

More information about the Opendnssec-develop mailing list