[Opendnssec-develop] Erroneous jitter semantics

Stephen.Morris at nominet.org.uk Stephen.Morris at nominet.org.uk
Thu Mar 11 10:38:21 UTC 2010

Jakob Schlyter <jakob at kirei.se> wrote on 11/03/2010 09:42:36:

> On 11 mar 2010, at 10.39, Matthijs Mekking wrote:
> > I am not too happy about decreasing the validity period with jitter,
> > instead of increasing it. This might allow people to shoot in their 
> > foot (by configuring stupid values for signature validity and jitter).

People will always be able to configure stupid values.  We can mitigate 
that in several ways:

* providing something that people can run to check the parameters (e.g. 
* providing a parameter editor (even if it just links something like "vi" 
with the check program, i.e. something like "crontab -e")
* hard-code limits e.g. jitter must always be <= 20% of the validity 

... but ultimately it's down to the user.  We can only do so much.

> I kind of like my 3rd jitter semantics, i.e. jitter AROUND the validity 
> - but I understand may just confuse people even more.

I would have thought that's the most logical and least confusing 
description - a signature's validity period will lie in the interval 
(defined validity period +/- jitter).  The only thing we would need to 
make clear is that there is a uniform distribution of validity periods in 
this interval, not a normal distribution.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100311/9294086c/attachment.htm>

More information about the Opendnssec-develop mailing list