[Opendnssec-develop] Signer Testplan: first try

Jakob Schlyter jakob at kirei.se
Wed Apr 8 15:20:26 UTC 2009

On 8 apr 2009, at 17.06, Matthijs Mekking wrote:

> Jakob Schlyter wrote:
>> In my world, jitter is ABS(MAX(VARIANCE(signature expiration time))).
>> so something like:
>>  signature expiration = calculated expiration time - jitter +
>> (random(jitter) * 2)
>> where random(x) is a function generating a random numberr such as 0  
>> ≤ r
>> ≤ x. this would generate a signature exception that can vary +/-  
>> some
>> jitter number of seconds, right?
> You just make it a whole lot more complex ;)

is it? this is just how I implemented it in the BIND signer. almost,  
more exactly I just did - and not +, but it is been there for some  
time now.

> Is it? Where is that defined? Doing it modular instead of random gives
> you a nicer expiration datetime spreading, imho.

spreading is good so whatever gives us that is good I guess.

> Although it doesn't matter, I think TTL=0 makes sense (since caching  
> is
> not involved). Or SOA MIN, like with NSEC(3).
> However, I think to configure something that does not matter, doesn't
> make sense.

it's just if it makes sense to set a default. or we just do TTL=0 and  
be done with it and it that case it can be removed from the kasp +  


More information about the Opendnssec-develop mailing list