DNSOP mailing list

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

To: dnsop@cafax.se
From: Miek Gieben <miekg@atoom.net>
Date: Thu, 20 Mar 2003 10:48:46 +0100
Content-Disposition: inline
Mail-Followup-To: dnsop@cafax.se
Sender: owner-dnsop@cafax.se
User-Agent: Vim/Mutt/Linux
Subject: secondary behavior with DNSSEC

Hello,

during our SECREG experiment (secreg.nlnetlabs.nl) we are seeing to following
problem:

One of the secondaries for the signed .nl zone has not been updated for some
time now. The signatures it carries are expired on March 10. This means that
whoever was using this server only gets bad (authoritative) data for .nl.
If this was for real .nl would have dropped of the earth for all user of this
nameserver.

This difference with DNS is obvious, with DNS a secondary that was not up to
date was bad, but it was still sort of usable. With DNSSEC a secondary that is
longer out of date than the signature lifetime is disastrous - it causes the
local removal of a TLD (in this case).

To put it another way: DNSSEC introduces a clock to the DNS operation, and
the clock ticks every signature lifetime,


grtz  Miek


--
:wq!
#----------------------------------------------------------------------
# To unsubscribe, send a message to <dnsop-request@cafax.se>.

Follow-Ups:
- Re: secondary behavior with DNSSEC
  - From: bert hubert <ahu@ds9a.nl>

Prev by Date: Re: Radical Surgery proposal: stop doing reverse for IPv6.
Next by Date: Re: secondary behavior with DNSSEC
Prev by thread: RE: dns discovery for agenda? [Re: chairs and charter]
Next by thread: Re: secondary behavior with DNSSEC
Index(es):
- Date
- Thread

Home | Date list | Subject list