[Opendnssec-develop] Erroneous jitter semantics
Stephen.Morris at nominet.org.uk
Stephen.Morris at nominet.org.uk
Thu Mar 11 10:38:21 UTC 2010
Jakob Schlyter <jakob at kirei.se> wrote on 11/03/2010 09:42:36:
> On 11 mar 2010, at 10.39, Matthijs Mekking wrote:
>
> > I am not too happy about decreasing the validity period with jitter,
> > instead of increasing it. This might allow people to shoot in their
own
> > foot (by configuring stupid values for signature validity and jitter).
People will always be able to configure stupid values. We can mitigate
that in several ways:
* providing something that people can run to check the parameters (e.g.
ods-kaspcheck)
* providing a parameter editor (even if it just links something like "vi"
with the check program, i.e. something like "crontab -e")
* hard-code limits e.g. jitter must always be <= 20% of the validity
period
... but ultimately it's down to the user. We can only do so much.
> I kind of like my 3rd jitter semantics, i.e. jitter AROUND the validity
period
> - but I understand may just confuse people even more.
I would have thought that's the most logical and least confusing
description - a signature's validity period will lie in the interval
(defined validity period +/- jitter). The only thing we would need to
make clear is that there is a uniform distribution of validity periods in
this interval, not a normal distribution.
Stephen
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100311/9294086c/attachment.htm>
More information about the Opendnssec-develop
mailing list