[Opendnssec-user]Signature period not precise
Matthijs Mekking
matthijs at nlnetlabs.nl
Tue Aug 21 09:53:05 UTC 2012
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
On 08/20/2012 11:23 AM, 刘硕 wrote:
> Hi all,
>
> I have added a new zone and signed it with ods-signer, but I found
> that the signature validity and expiration time in the signed zone
> file was not the time when I signed,there are hours delay. The time
> I ran ods-signer was 20/8/2012 17:08 P.M.,but the signature period
> actually began from 20/8/2012 08:08 A.M., there are 9 hours delay.
> This will surely affect the validity of signature.
The signature inception time is a function of the current time and the
inception offset. Is your InceptionOffset in the kasp.xml policy 9 hours?
The actual validity is the sum of the inception offset and the actual
validity period. So it should not affect when the expiration time is
set. Jitter may affect the expiration time.
Best regards,
Matthijs
>
> [dns at CST-BJ-104:var/opendnssec/signed]$head example example.
> 300 IN SOA ns1.example. mail.example. 1345453691 10800
> 3600 60480 300 example. 300 IN RRSIG SOA 8 1 300
> 20120830090809 20120820080811 15901 example.
> EI0qhqmK2yZptcF38DkQHVqQqw8Pk7DX7J56iYRF846KzQRg9meVjEeYNNXS4MtEh4F34tvjLdw+NqCSDPPHB7CQQlNUTgTxHbBjEWXt9AbhqhWhfCkTHCRAPEuy6uV8T7ZVTyq5qqyOkpAAXzw77BJ94d3QrzrShHoc405eWrU=
>
>
e
>
> Best regards, Stuart
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQEcBAEBAgAGBQJQM1qBAAoJEA8yVCPsQCW5rJoH/15jkzD11Om12tCvl8/SKXsL
OU636DXAIaA/9yXSfvGce4badCcN7M7eMhsPGey2V/jExeaV6JlSebVlfAtFzktp
Vukdo/uhkMUaq26MvhLW9URXVlVQSqrLr7IVMFd6fstl+7L1ywMkkc1wHZtXt/eh
d2pMJkYigiUft8R/Unx9JI9Kyzpvt+6YoXGffX6I5ihcAUnn4WNdq1eEmRidEhT5
4CQWJ7M6NAm8G07Hbv5ThK4rZlr5jaL1QJVV85/7xvI7M83s/sO9fUDsnSxWgVjo
WTjMV0Pjimgx2wngrtKou2T7cEb7EdJ/V1ATcR97NpkzkizQfjC4W2iwdQiQnJM=
=GGqx
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list