bind-users April 2010 archive
Main Archive Page > Month Archives  > bind-users archives
bind-users: Re: dnssec-keygen & dnssec-signzone "smart

Re: dnssec-keygen & dnssec-signzone "smart signing" vs time zones

From: Mark Andrews <marka_at_nospam>
Date: Thu Apr 29 2010 - 03:22:06 GMT
To: "Paul B. Henson" <henson@acm.org>

In message <Pine.GSO.4.55.1004281958000.11178@loogie.intranet.csupomona.edu>, "
Paul B. Henson" writes:
> On Wed, 28 Apr 2010, Mark Andrews wrote:
>
> > The .private timestamps are in UTC and that is what is used for key
> > management. The .key values are just comments. You should be able to
> > work out my current offset from UTC.
> >
> > % grep Created Klllll.+005+59421.*
> > Klllll.+005+59421.key:; Created: Thu Apr 29 11:10:24 2010
> > Klllll.+005+59421.private:Created: 20100429011024
>
> Ah, ok, that makes more sense, thanks.
>
> It might help prevent confusion if the documentation was more clear on time
> handling; I might have missed it but I didn't see anything explaining time
> was stored in UTC, or that times provided on the command line were
> considered to be in UTC. That last bit isn't very intuitive, typically when
> time is specified like that it's relative to your time zone. I guess I'll
> need to convert the time I want relative to my time zone to UTC and pass
> that on the command line instead.

Would something like this be better? Do you need a UTC after the timestamp.
Note: now + delta is timezone agnostic.

; This is a zone-signing key, keyid 26628, for kij.
; Created: 20100429025050 (Thu Apr 29 12:50:50 2010)
; Publish: 20100429025050 (Thu Apr 29 12:50:50 2010)
; Activate: 20100429025050 (Thu Apr 29 12:50:50 2010)
kij. IN DNSKEY 256 3 5 AwEAAb6VYqE8stYu19VmT2nmeJd+xKKKA7u+FqVpCWmop8UoEba/4zmM
BkjfueTtWTAo2qsyX9mW10B48M+slzk3HPGLvCDP5U6iKQWQvtEm4k6/ ml0Xzvnjfc36ynQK4IuffGz
FSsYenr01qF+SGizP2pb2LIWYIjyKamYG 34+0c1/5

>From dnssec-signzone

       -s start-time
           Specify the date and time when the generated RRSIG records become
           valid. This can be either an absolute or relative time. An absolute
           start time is indicated by a number in YYYYMMDDHHMMSS notation;
           20000530144500 denotes 14:45:00 UTC on May 30th, 2000. A relative
           start time is indicated by +N, which is N seconds from the current
           time. If no start-time is specified, the current time minus 1 hour
           (to allow for clock skew) is used.

Mark

> --
> Paul B. Henson | (909) 979-6361 | http://www.csupomona.edu/~henson/
> Operating Systems and Network Analyst | henson@csupomona.edu
> California State Polytechnic University | Pomona CA 91768
-- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users