[Opendnssec-develop] Signer Testplan: first try
Jelte Jansen
jelte at NLnetLabs.nl
Wed Apr 8 15:53:08 UTC 2009
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Jakob Schlyter wrote:
>>> signature expiration = calculated expiration time - jitter +
>>> (random(jitter) * 2)
>>>
>>> where random(x) is a function generating a random numberr such as 0 ≤ r
>>> ≤ x. this would generate a signature exception that can vary +/- some
>>> jitter number of seconds, right?
>>
>> You just make it a whole lot more complex ;)
>
> is it? this is just how I implemented it in the BIND signer. almost,
> more exactly I just did - and not +, but it is been there for some time
> now.
>
nah, it is slightly more complex than either exptime + rand(jitter) or exptime -
rand(jitter). But only very :)
>> Is it? Where is that defined? Doing it modular instead of random gives
>> you a nicer expiration datetime spreading, imho.
>
> spreading is good so whatever gives us that is good I guess.
>
http://content4.clipmarks.com/image_cache/xofxof/512/405B2A78-5499-474D-89B9-17F420F175C5.gif
Random is computationally more difficult than modular, but again only very
little (we are not going for 'true' random here, pseudorandom is more than
enough for jitter), and compared to other stuff here negligible. However, random
should give (given a decent generator) a better spread, since one does not have
to guess the steps between the different jittered values. Or one could base that
on both the jitter setting and the number of signatures to be created. Making it
way more difficult than 'just' random :) (then again, a 'bad' random function
would be worse).
>> Although it doesn't matter, I think TTL=0 makes sense (since caching is
>> not involved). Or SOA MIN, like with NSEC(3).
>>
>> However, I think to configure something that does not matter, doesn't
>> make sense.
>
> it's just if it makes sense to set a default. or we just do TTL=0 and be
> done with it and it that case it can be removed from the kasp + signconf.
>
yes please. It might even have the added benefit that people don't confuse it
with something that matters for anything but authoritative resolvers.
Jelte
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org
iEYEARECAAYFAkncyGQACgkQ4nZCKsdOncUKYgCgiq02//7c1I1vsatA/GB3hk/T
18IAoI8OkSC73J1Q9GJBwiR9c51qwVbt
=YW3V
-----END PGP SIGNATURE-----
More information about the Opendnssec-develop
mailing list