[Opendnssec-develop] Erroneous jitter semantics

Jakob Schlyter jakob at kirei.se
Wed Mar 10 15:45:59 UTC 2010

The semantics of "jitter" differs between BIND9 and OpenDNSSEC:

BIND9 does      expiration' = expiration - (rnd % jitter)
OpenDNSSEC does expiration' = expiration + (rnd % jitter)

one might also consider doing expiration' = expiration - jitter + (rnd % (jitter * 2))

I kind of like to BIND9 semantics, not only because I designed it but also because it's the most conservative approach (ie. the expiration is the longest possible signature validity and decreased slightly by jitter).

Anyway, we need to fix this - both for 1.1 and for 1.0. and make sure it is properly documented.


ref: http://www.pivotaltracker.com/story/show/2744296

More information about the Opendnssec-develop mailing list