-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Stuart,
Sorry for misreading the first time. Time zones come in mind. Note that the inception and expiration times are in UTC, see RFC 4034: The Signature Expiration and Inception field values specify a date and time in the form of a 32-bit unsigned number of seconds elapsed since 1 January 1970 00:00:00 UTC, ignoring leap seconds, in network byte order. and: The Signature Expiration Time and Inception Time field values MUST be represented either as an unsigned decimal integer indicating seconds since 1 January 1970 00:00:00 UTC, or in the form YYYYMMDDHHmmSS in UTC, ... So if you sign at 20/8/2012 17:08 P.M. and the inception is at 20/8/2012 08:08 A.M, you are in UTC+8 (17 minus 8 for the UTC minus 1 for the offset = 8), is that right? Best regards, Matthijs On 08/21/2012 01:23 PM, 刘硕 wrote: >> The signature inception time is a function of the current time >> and the inception offset. Is your InceptionOffset in the kasp.xml >> policy 9 hours? > > No, the InceptionOffset it 3600S, but the point is the signature > inception time is earlier not later than the current time,it the > opposite. > > I signed a zone at 2012082119140544 or so, but the RRSIG SOA is: > example3. 300 IN RRSIG SOA 8 1 300 20120821130544 > 20120821101435 718 example3. RZsMib3Zx > > Once authoritative sever loads the zone data above, it will not > get authenticated by recursive sever with +dnssec flag. The policy > I used is as follows: <Policy name="lab"> <Description>Quick > turnaround policy for lab work</Description> <Signatures> > <Resign>PT15M</Resign> <Refresh>PT30M</Refresh> <Validity> > <Default>PT2H</Default> <Denial>PT1H</Denial> </Validity> > <Jitter>PT10M</Jitter> <InceptionOffset>PT3600S</InceptionOffset> > </Signatures> <Denial> <NSEC3> <OptOut/> <Resalt>P100D</Resalt> > <Hash> <Algorithm>1</Algorithm> <Iterations>5</Iterations> <Salt > length="8"/> </Hash> </NSEC3> </Denial> > > <Keys> <!-- Parameters for both KSK and ZSK --> <TTL>PT3000S</TTL> > <RetireSafety>PT360S</RetireSafety> > <PublishSafety>PT360S</PublishSafety> <ShareKeys/> > <Purge>P1D</Purge> > > <!-- Parameters for KSK only --> <KSK> <Algorithm > length="2048">8</Algorithm> <Lifetime>P1Y</Lifetime> > <Repository>SoftHSM</Repository> </KSK> > > <!-- Parameters for ZSK only --> <ZSK> <Algorithm > length="1024">8</Algorithm> <Lifetime>PT4H</Lifetime> > <Repository>SoftHSM</Repository> <!-- <ManualRollover/> --> </ZSK> > </Keys> > > <Zone> <PropagationDelay>PT300S</PropagationDelay> <SOA> > <TTL>PT300S</TTL> <Minimum>PT300S</Minimum> > <Serial>unixtime</Serial> </SOA> </Zone> > > <Parent> <PropagationDelay>PT9999S</PropagationDelay> <DS> > <TTL>PT3600S</TTL> </DS> <SOA> <TTL>PT172800S</TTL> > <Minimum>PT10800S</Minimum> </SOA> </Parent> > > </Policy> > > > Best regards, Stuart > > > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iQEcBAEBAgAGBQJQM38kAAoJEA8yVCPsQCW5XQ8H/jJ7rIazWZ1Iz+JqmguTcFvB e+cyzOA5CFwRuo+aj/AQckdir2c53nrn8A5Kq9RNJUyVJEiD7dyl1bpcDT2JUFvp vRkm7UkHrv6Tsk4a1YvTB8gi3TVzzfAcKi0eqjxU8RvBcEBoMtqww8tJV+jm+GRO 5jH4rS4g6519M1S6zH/TedmTElIdnLGm/saunemevAWnQmFoDS5vD0boAOsrVUGW OmS+wXanEG4lmPmWBnjuJ4Kx73v5DwNzOpI6GW7g3sjG9c2MVCBj/1XH1RdeNazE Uo5lMA6JxXA9FJLjIE9sUwh04AGyLBnrDtEMJnVwDZdkl/D30LIme5FBQkyPcsw= =FF9G -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
