[Opendnssec-develop] Erroneous jitter semantics
Jakob Schlyter
jakob at kirei.se
Wed Mar 10 15:45:59 UTC 2010
The semantics of "jitter" differs between BIND9 and OpenDNSSEC:
BIND9 does expiration' = expiration - (rnd % jitter)
OpenDNSSEC does expiration' = expiration + (rnd % jitter)
one might also consider doing expiration' = expiration - jitter + (rnd % (jitter * 2))
I kind of like to BIND9 semantics, not only because I designed it but also because it's the most conservative approach (ie. the expiration is the longest possible signature validity and decreased slightly by jitter).
Anyway, we need to fix this - both for 1.1 and for 1.0. and make sure it is properly documented.
jakob
ref: http://www.pivotaltracker.com/story/show/2744296
More information about the Opendnssec-develop
mailing list