[Opendnssec-develop] Erroneous jitter semantics

Matthijs Mekking matthijs at NLnetLabs.nl
Thu Mar 11 09:39:55 UTC 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I am not too happy about decreasing the validity period with jitter,
instead of increasing it. This might allow people to shoot in their own
foot (by configuring stupid values for signature validity and jitter).

I understand that we want to avoid confusion and thus would like to have
the same behavior as other DNSSEC implementations.

I don't like the reasoning "because Bind does it".

Matthijs

Jakob Schlyter wrote:
> On 11 mar 2010, at 09.49, Rickard Bellgrim wrote:
> 
>> What I mean is that currently we do this:
>>
>> Inception = now - offset
>> Expiration = now + validity period + jitter
>> Total validity = offset + validity period + jitter
> 
> correct.
> 
> 
>> You are suggesting:
>>
>> Inception = now - offset
>> Expiration = now + validity period - jitter
>> Total validity = offset + validity period - jitter
> 
> right, and this gives:
> 
> min(total validity) = offset + validity period - max(jitter)
> max(total validity) = offset + validity period
> 
> so signatures will effectivly expire between
> 	now + validity - max(jitter)
> and
> 	now + validity
> 
> 
>> But if we want to truly use the validity period as the maximum, then do this:
>>
>> Inception = now - offset
>> Expiration = now + validity period - jitter - offset
>> Total validity = validity period - jitter
> 
> the offset is a safe guard against time error, so I would not include that in the the calculation of the signature expiration.
> 
> 
> 	jakob
> 
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iQEcBAEBAgAGBQJLmLppAAoJEA8yVCPsQCW5dQ8IANiBBVw9oP7+pLeWT+88k14c
BaFQS98+q0X6tq4gJewM7lEQL8o/6FhyluacMM8vJFJCo37dsqENK93EjRzPt58Q
aKoLbA2oMobAJxx8vIZ5bDIlAwALHJoNgVQ5WsbnDOmaZcNyPH9OIqZE333KAlOK
nyR/fmBjMjynqpd436tdSGk9inqOs9Jo+uCUSsuEFrlBaiGqFUkfCc1si9dl2/MF
V7d1XrGPWLjOeH0xBBpzCLMMXuXV4oM1SRM9zg9Uan72mL2Ue0uAFoNmbRkGNV5m
/0hWr9LYb0BHfdRXTYRdbQQPCN33Vgn2mFY2e/geagYYC6f6avXAYlxpDoNR81E=
=8w95
-----END PGP SIGNATURE-----



More information about the Opendnssec-develop mailing list