[Opendnssec-develop] Erroneous jitter semantics

Rickard Bellgrim rickard.bellgrim at iis.se
Thu Mar 11 11:07:39 UTC 2010

People will always be able to configure stupid values.  We can mitigate that in several ways:

... but ultimately it's down to the user.  We can only do so much.

I agree. There are many ways of screwing up the configuration. We do have the ods-kaspcheck, that we need to revisit in the future. And see how it can be used.

> I kind of like my 3rd jitter semantics, i.e. jitter AROUND the validity period
> - but I understand may just confuse people even more.

I would have thought that's the most logical and least confusing description - a signature's validity period will lie in the interval (defined validity period +/- jitter).  The only thing we would need to make clear is that there is a uniform distribution of validity periods in this interval, not a normal distribution.

Ok, so lets go with +/- jitter/2. I think it should just be a one-liner in the Signer. We also need to update the picture in the documentation.

The Auditor should be fine with this as well, right? Or does it check that the validity period of the signature is within limits of the KASP. If so, then it also needs to be updated.

// Rickard
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.opendnssec.org/pipermail/opendnssec-develop/attachments/20100311/ed24a36b/attachment.htm>

More information about the Opendnssec-develop mailing list