[Opendnssec-develop] Erroneous jitter semantics
rickard.bellgrim at iis.se
Wed Mar 10 16:34:27 UTC 2010
Does the same thing apply to the inception offset?
So that the validity in the configuration is the maximum possible.
On 10 mar 2010, at 16.45, Jakob Schlyter wrote:
> The semantics of "jitter" differs between BIND9 and OpenDNSSEC:
> BIND9 does expiration' = expiration - (rnd % jitter)
> OpenDNSSEC does expiration' = expiration + (rnd % jitter)
> one might also consider doing expiration' = expiration - jitter + (rnd % (jitter * 2))
> I kind of like to BIND9 semantics, not only because I designed it but also because it's the most conservative approach (ie. the expiration is the longest possible signature validity and decreased slightly by jitter).
> Anyway, we need to fix this - both for 1.1 and for 1.0. and make sure it is properly documented.
> ref: http://www.pivotaltracker.com/story/show/2744296
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
More information about the Opendnssec-develop