To:
Miek Gieben <miekg@atoom.net>, dnsop@cafax.se
From:
ted@tednet.nl (Ted Lindgreen)
Date:
Thu, 20 Mar 2003 11:37:57 +0100
In-Reply-To:
"Miek Gieben's message as of Mar 20, 11:25"
Reply-To:
Ted.Lindgreen@tednet.nl
Sender:
owner-dnsop@cafax.se
Subject:
Re: secondary behavior with DNSSEC
[Quoting Miek Gieben, on Mar 20, 11:25, in "secondary behavior w ..."] > One of the secondaries for the signed .nl zone has not been updated for some > time now. The signatures it carries are expired on March 10. This means that > whoever was using this server only gets bad (authoritative) data for .nl. > If this was for real .nl would have dropped of the earth for all user of this > nameserver. A way to prevent this from happening may be to choose the "expire" time in the SOA more carefully: - suppose you re-sign the zone every X seconds - and the lifetime of the signatures is Y seconds then the expire value should be less or equal to Y-X. This way, the out-dated secondary would return "SERVFAIL" instead of authoritatively returning expired signatures. In practical values: in the experimental DNSSEC .nl zone we re-sign daily, the signatures live 7 days, thus the expire time should be 6 days (which is much less than the current actual value of 4 weeks!). I think this should be documented in a BCP. -- ted #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.