回复: Re: [Opendnssec-user]Signature period not precise

Matthijs Mekking matthijs at nlnetlabs.nl
Tue Aug 21 12:29:24 UTC 2012


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Stuart,

Sorry for misreading the first time. Time zones come in mind.
Note that the inception and expiration times are in UTC, see RFC 4034:

   The Signature Expiration and Inception field values specify a date
   and time in the form of a 32-bit unsigned number of seconds elapsed
   since 1 January 1970 00:00:00 UTC, ignoring leap seconds, in network
   byte order.

and:

   The Signature Expiration Time and Inception Time field values MUST be
   represented either as an unsigned decimal integer indicating seconds
   since 1 January 1970 00:00:00 UTC, or in the form YYYYMMDDHHmmSS in
   UTC, ...

So if  you sign at 20/8/2012 17:08 P.M. and the inception is at
20/8/2012 08:08 A.M,
you are in UTC+8 (17 minus 8 for the UTC minus 1 for the offset = 8),
is that right?

Best regards,
  Matthijs

On 08/21/2012 01:23 PM, 刘硕 wrote:
>> The signature inception time is a function of the current time
>> and the inception offset. Is your InceptionOffset in the kasp.xml
>> policy 9 hours?
> 
> No, the InceptionOffset it 3600S, but the point is the signature 
> inception time is earlier not later than the current time,it the
> opposite.
> 
> I signed a zone at 2012082119140544 or so, but the RRSIG SOA is: 
> example3.       300     IN      RRSIG   SOA 8 1 300 20120821130544 
> 20120821101435 718 example3. RZsMib3Zx
> 
> Once authoritative sever loads the zone data above, it will not
> get authenticated by recursive sever with +dnssec flag. The policy
> I used is as follows: <Policy name="lab"> <Description>Quick
> turnaround policy for lab work</Description> <Signatures> 
> <Resign>PT15M</Resign> <Refresh>PT30M</Refresh> <Validity> 
> <Default>PT2H</Default> <Denial>PT1H</Denial> </Validity> 
> <Jitter>PT10M</Jitter> <InceptionOffset>PT3600S</InceptionOffset> 
> </Signatures> <Denial> <NSEC3> <OptOut/> <Resalt>P100D</Resalt> 
> <Hash> <Algorithm>1</Algorithm> <Iterations>5</Iterations> <Salt
> length="8"/> </Hash> </NSEC3> </Denial>
> 
> <Keys> <!-- Parameters for both KSK and ZSK --> <TTL>PT3000S</TTL> 
> <RetireSafety>PT360S</RetireSafety> 
> <PublishSafety>PT360S</PublishSafety> <ShareKeys/> 
> <Purge>P1D</Purge>
> 
> <!-- Parameters for KSK only --> <KSK> <Algorithm
> length="2048">8</Algorithm> <Lifetime>P1Y</Lifetime> 
> <Repository>SoftHSM</Repository> </KSK>
> 
> <!-- Parameters for ZSK only --> <ZSK> <Algorithm
> length="1024">8</Algorithm> <Lifetime>PT4H</Lifetime> 
> <Repository>SoftHSM</Repository> <!-- <ManualRollover/> --> </ZSK> 
> </Keys>
> 
> <Zone> <PropagationDelay>PT300S</PropagationDelay> <SOA> 
> <TTL>PT300S</TTL> <Minimum>PT300S</Minimum> 
> <Serial>unixtime</Serial> </SOA> </Zone>
> 
> <Parent> <PropagationDelay>PT9999S</PropagationDelay> <DS> 
> <TTL>PT3600S</TTL> </DS> <SOA> <TTL>PT172800S</TTL> 
> <Minimum>PT10800S</Minimum> </SOA> </Parent>
> 
> </Policy>
> 
> 
> Best regards, Stuart
> 
> 
> 


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iQEcBAEBAgAGBQJQM38kAAoJEA8yVCPsQCW5XQ8H/jJ7rIazWZ1Iz+JqmguTcFvB
e+cyzOA5CFwRuo+aj/AQckdir2c53nrn8A5Kq9RNJUyVJEiD7dyl1bpcDT2JUFvp
vRkm7UkHrv6Tsk4a1YvTB8gi3TVzzfAcKi0eqjxU8RvBcEBoMtqww8tJV+jm+GRO
5jH4rS4g6519M1S6zH/TedmTElIdnLGm/saunemevAWnQmFoDS5vD0boAOsrVUGW
OmS+wXanEG4lmPmWBnjuJ4Kx73v5DwNzOpI6GW7g3sjG9c2MVCBj/1XH1RdeNazE
Uo5lMA6JxXA9FJLjIE9sUwh04AGyLBnrDtEMJnVwDZdkl/D30LIme5FBQkyPcsw=
=FF9G
-----END PGP SIGNATURE-----



More information about the Opendnssec-user mailing list