[Opendnssec-develop] Signer Testplan: first try
Jakob Schlyter
jakob at kirei.se
Wed Apr 8 15:20:26 UTC 2009
On 8 apr 2009, at 17.06, Matthijs Mekking wrote:
> Jakob Schlyter wrote:
>> In my world, jitter is ABS(MAX(VARIANCE(signature expiration time))).
>>
>> so something like:
>>
>> signature expiration = calculated expiration time - jitter +
>> (random(jitter) * 2)
>>
>> where random(x) is a function generating a random numberr such as 0
>> ≤ r
>> ≤ x. this would generate a signature exception that can vary +/-
>> some
>> jitter number of seconds, right?
>
> You just make it a whole lot more complex ;)
is it? this is just how I implemented it in the BIND signer. almost,
more exactly I just did - and not +, but it is been there for some
time now.
> Is it? Where is that defined? Doing it modular instead of random gives
> you a nicer expiration datetime spreading, imho.
spreading is good so whatever gives us that is good I guess.
> Although it doesn't matter, I think TTL=0 makes sense (since caching
> is
> not involved). Or SOA MIN, like with NSEC(3).
>
> However, I think to configure something that does not matter, doesn't
> make sense.
it's just if it makes sense to set a default. or we just do TTL=0 and
be done with it and it that case it can be removed from the kasp +
signconf.
jakob
More information about the Opendnssec-develop
mailing list