To:
Ted.Lindgreen@tednet.nl
Cc:
dnsop@cafax.se
From:
Peter Koch <pk@TechFak.Uni-Bielefeld.DE>
Date:
Thu, 20 Mar 2003 12:40:04 +0100
In-reply-to:
Your message of "Thu, 20 Mar 2003 11:37:57 +0100." <200303201037.h2KAbw1B013954@omval.tednet.nl>
Sender:
owner-dnsop@cafax.se
Subject:
Re: secondary behavior with DNSSEC
> A way to prevent this from happening may be to choose > the "expire" time in the SOA more carefully: Which is the first time we have an upper bound for the expire value. > - suppose you re-sign the zone every X seconds > - and the lifetime of the signatures is Y seconds > then the expire value should be less or equal to Y-X. Shouldn't that just be expire <= Y? If you (plan to) re-sign in 5 days, the lifetime is 7 days why should expire be 2 days only? In the general case, expire values should not shrink too much to avoid problems caused by unreachable masters, syntax errors in zone files etc. > This way, the out-dated secondary would return "SERVFAIL" instead This should also be documented, because 1034 and friends do not explicitly state what a server should do after the zone has expired. Nameservers have behaved differently in the past and SERVFAIL is not necessarily the best reaction from an operational perspective - e.g. if you face a "perfectly lame" delegation -Peter #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.