[Opendnssec-develop] kasp draft

Matthijs Mekking matthijs at nlnetlabs.nl
Mon Jul 28 12:36:17 UTC 2014


On 07/28/2014 02:28 PM, Siôn Lloyd wrote:
> On 28/07/14 12:59, Matthijs Mekking wrote:
>> On 07/28/2014 12:30 PM, Siôn Lloyd wrote:
>>> On 28/07/14 10:10, Matthijs Mekking wrote:
>>>> On 07/15/2014 10:52 AM, Siôn Lloyd wrote:
>>>>> 2.1.1.1
>>>>> Jitter - I'm not sure that there is a need to define the jitter
>>>>> algorithm... I can have jitter that only increases signature lifetimes
>>>>> (i.e. r * j) and it is still just as valid. The algorithm could be given
>>>>> as an example.
>>>> I think we do want to define the algorithm: So that if the policy is
>>>> used in a different implementation, you can expect the same behavior.
>>> I don't agree... If I have an existing implementation that uses a
>>> different, but equally valid, algorithm then I can not describe my
>>> system using this document. That would seem to be an unnecessary
>>> restriction.
>>>
>>> The more generic solution would be to define jitter as the maximum a
>>> signature can vary from the defined lifetime - what distribution that
>>> variation takes is implementation specific.
>> It depends on why the policy includes a jitter. Is it to control the
>> range or is it there to control the signature distribution? If the
>> former, then we can define the jitter to be the varied range. If the
>> latter, I think the algorithm must be defined.
>>
>>
> 
> My understanding of jitter is that it is to spread signature expiry to
> reduce peak load on the signer... So I guess I'm arguing for the former
> and leaving the implementation details out of the policy.

Agree to disagree:) I have created a new issue for this:

    https://github.com/matje/dnsop-kasp/issues/8

It would be good to hear what others think. Planning to submit this to
dnsop list for discussion.

Best regards,
  Matthijs


> 
> Sion
> _______________________________________________
> Opendnssec-develop mailing list
> Opendnssec-develop at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-develop
> 




More information about the Opendnssec-develop mailing list