[Opendnssec-develop] Erroneous jitter semantics
Rickard Bellgrim
rickard.bellgrim at iis.se
Wed Mar 10 16:34:27 UTC 2010
Does the same thing apply to the inception offset?
So that the validity in the configuration is the maximum possible.
// Rickard
On 10 mar 2010, at 16.45, Jakob Schlyter wrote:
>
> The semantics of "jitter" differs between BIND9 and OpenDNSSEC:
>
> BIND9 does expiration' = expiration - (rnd % jitter)
> OpenDNSSEC does expiration' = expiration + (rnd % jitter)
>
> one might also consider doing expiration' = expiration - jitter + (rnd % (jitter * 2))
>
>
> I kind of like to BIND9 semantics, not only because I designed it but also because it's the most conservative approach (ie. the expiration is the longest possible signature validity and decreased slightly by jitter).
>
> Anyway, we need to fix this - both for 1.1 and for 1.0. and make sure it is properly documented.
>
>
> jakob
>
> ref: http://www.pivotaltracker.com/story/show/2744296
>
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
More information about the Opendnssec-develop
mailing list