On 1/26/2015 10:48 PM, Viktor Dukhovni wrote:
On Mon, Jan 26, 2015 at 09:08:36PM -0500, John wrote:
There appear to be time differences between the records reported by DIG and the source records on file.
Dig does not and cannot report the activation and inactivation time, so it is hard to see how one might expect anything in dig output to agree with either time.
RRsigs report the signature validity interval which should start some time after activation, and though generally will end before inactivation, may even end after inactivation, if the key inactivation time was set (as in Carsten's notes) sufficiently close to that date, that existing RRsigs may already be in place that outlive the key inactivation.
The initial time of an RRsig will never be outside (activation, inactivation) interval, but the final time may lie just beyond.
Thanks for the reassurance. I was not sure whether there was a problem or not. Every test I ran indicated that there was no problem, but being new and nervous I thought I should ask.