[Pdns-users] trying to understand pdns and dnssec

Pieter Lexis pieter.lexis at powerdns.com
Wed Nov 8 20:06:23 UTC 2017

Hi Eric,

On Wed, 8 Nov 2017 14:47:36 -0500
Eric Beck <ericbeck at cadns.ca> wrote:

> As per the docs,
> "RRSIGs have a validity period, in PowerDNS this period is 3 weeks. This
> period starts at most a week in the past, and continues at least a week
> into the future"
> As well the first domain we secured was done perhaps before last
> Thursday, Nov. 2 (I can't remember), so I could understand that it may
> have it's inception date set at October 26 according to the docs.  But
> the one we just secured today, it makes no sense that it has an
> inception date of Oct. 26

Tomorrow the inception date will change to Nov 2nd.
At that point the current date is at least a week from the inception and almost 2 weeks from the expiry date,
compared to almost 2 weeks from the inception date and almost 1 week to the expiry date.

As we serve the RRSIG during the "middle" week (7 days) of the 3 week (21 day) validity period.
In other words, today (Wednesday 2017-11-08) is last day of the middle of this 3 week validity period.
hence, the inception is _almost_ 2 weeks away and the expiry date is _just a little over_ a week in the future.

I hope this clarifies it some more.

Best regards,


Pieter Lexis
PowerDNS.COM BV -- https://www.powerdns.com

More information about the Pdns-users mailing list