2010/08/19

Start time of RRSIG fall behind 9 hours from the system clock after zone signing

I was wondering why the start time of RRSIG fell behind 9 hours from the system clock when zone signing was completed. On careful lookup of dnssec-signzone, it was stated that RRSIG should have a start time of UTC-1 hour in order to allow clock skew. It also made sense that RRSIG should be time-stamped with UTC. Since the time zone of Hong Kong is UTC +8, after adding one hour for clock skew, all RRSIG generated will be 9 hours behind the system clock.

This triggers me to think about another issue. If you have a nameserver that performs DNSSEC zone signing, it is better to change the clock to UTC instead of the local time. It will help to track RRSIG start and expiry more easily.

No comments: