On 12/28/2011 10:42 PM, Spain, Dr. Jeffry A. wrote: > > First of all is it correct that the time stamps shown by dig for RRSIG > records are in local time? Otherwise, if the time stamps show UTC, then > the RRSIG for jaspain.net SOA for ZSK 42152 was generated at > 20111210230000, one hour prior to that key’s activation.
The timestamps are always in UTC. The hour in advance is called the "inception time", and is a good practice to sign a record with an inception time in the past. That way you allow it to be validated even with resolvers with not a perfect clock synchronization. Hugo _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
