On Wed, 20 Feb 2019 at 12:36, Tony Finch <[email protected]> wrote: > Dick Franks <[email protected]> wrote: > > > > Unsigned 32 bit RRSIG time is good for travel until 7th February 2106. > > No, it lasts indefinitely. It covers +/- 68 years relative to current > POSIX time using serial number arithmetic. >
The value is ( t - Jan1970 ) mod 2**32, for any integer t, which is certainly not relative to current time, always positive, and I agree lasts indefinitely. The point I was trying to make was that the wrapping occurs in 2106, not 2038 as some have claimed. RFC1982 serial number arithmetic is mandated for comparison of these values, not for defining the values themselves. [RFC4034] 3.1.5. Signature Expiration and Inception Fields The Signature Expiration and Inception fields specify a validity period for the signature. The RRSIG record MUST NOT be used for authentication prior to the inception date and MUST NOT be used for authentication after the expiration date. The Signature Expiration and Inception field values specify a date and time in the form of a 32-bit unsigned number of seconds elapsed since 1 January 1970 00:00:00 UTC, ignoring leap seconds, in network byte order. The longest interval that can be expressed by this format without wrapping is approximately 136 years. An RRSIG RR can have an Expiration field value that is numerically smaller than the Inception field value if the expiration field value is near the 32-bit wrap-around point or if the signature is long lived. Because of this, all comparisons involving these fields MUST use "Serial number arithmetic", as defined in [RFC1982]. As a direct consequence, the values contained in these fields cannot refer to dates more than 68 years in either the past or the future.
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
