On Thu, May 7, 2020 at 8:34 AM Shumon Huque <shu...@gmail.com> wrote:
> On Wed, May 6, 2020 at 4:49 AM Stephane Bortzmeyer <bortzme...@nic.fr> > wrote: > > The draft apparently do not mention advices on expiration slack (such >> as val-sig-skew-min and val-sig-skew-max in Unbound). Is there a >> consensus on (I quote Unbound documentation) "The signature inception >> and expiration dates are allowed to be off by 10% of the signature >> lifetime"? >> > > RFC 6781 Section 4.4.2 (Signature Validity Periods) does mention having > a reasonable signature inception offset, but recommends no value. It does > not mention a signature expiration skew. It would be good to treat this > subject in the document. Personally, I would prefer a fixed value (~ 5 to > 10 minutes) rather than a percentage. Otherwise, the validator may be using > a possibly unacceptably small or large skew values depending on the > validity > interval. > Just to quickly follow-up on my own post (sorry!), I realize this draft is only about validator requirements, but RFC6781 describers signer recommendations. Still, the skew issue has come up for me recently in signer implementations too. One commercial DNSSEC implementation we were using was generating on-the-fly signatures with _no_ inception offset - which means if the validator's clock was off even slightly, and supported no skew, it would fail. It required some vigorous arguing with this vendor to get them to use an inception offset. So, the skew issue ideally needs to be addressed on both sides (and it might be reasonable to mention that in this draft). Shumon.
_______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop