[Opendnssec-develop] kasp draft

Siôn Lloyd sion at nominet.org.uk
Mon Jul 28 12:28:39 UTC 2014

On 28/07/14 12:59, Matthijs Mekking wrote:
> On 07/28/2014 12:30 PM, Siôn Lloyd wrote:
>> On 28/07/14 10:10, Matthijs Mekking wrote:
>>> On 07/15/2014 10:52 AM, Siôn Lloyd wrote:
>>>> Jitter - I'm not sure that there is a need to define the jitter
>>>> algorithm... I can have jitter that only increases signature lifetimes
>>>> (i.e. r * j) and it is still just as valid. The algorithm could be given
>>>> as an example.
>>> I think we do want to define the algorithm: So that if the policy is
>>> used in a different implementation, you can expect the same behavior.
>> I don't agree... If I have an existing implementation that uses a
>> different, but equally valid, algorithm then I can not describe my
>> system using this document. That would seem to be an unnecessary
>> restriction.
>> The more generic solution would be to define jitter as the maximum a
>> signature can vary from the defined lifetime - what distribution that
>> variation takes is implementation specific.
> It depends on why the policy includes a jitter. Is it to control the
> range or is it there to control the signature distribution? If the
> former, then we can define the jitter to be the varied range. If the
> latter, I think the algorithm must be defined.

My understanding of jitter is that it is to spread signature expiry to
reduce peak load on the signer... So I guess I'm arguing for the former
and leaving the implementation details out of the policy.


More information about the Opendnssec-develop mailing list