To:
dnsop@cafax.se
From:
Miek Gieben <miekg@atoom.net>
Date:
Thu, 20 Mar 2003 10:48:46 +0100
Content-Disposition:
inline
Mail-Followup-To:
dnsop@cafax.se
Sender:
owner-dnsop@cafax.se
User-Agent:
Vim/Mutt/Linux
Subject:
secondary behavior with DNSSEC
Hello, during our SECREG experiment (secreg.nlnetlabs.nl) we are seeing to following problem: One of the secondaries for the signed .nl zone has not been updated for some time now. The signatures it carries are expired on March 10. This means that whoever was using this server only gets bad (authoritative) data for .nl. If this was for real .nl would have dropped of the earth for all user of this nameserver. This difference with DNS is obvious, with DNS a secondary that was not up to date was bad, but it was still sort of usable. With DNSSEC a secondary that is longer out of date than the signature lifetime is disastrous - it causes the local removal of a TLD (in this case). To put it another way: DNSSEC introduces a clock to the DNS operation, and the clock ticks every signature lifetime, grtz Miek -- :wq! #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.