To:
Peter Koch <pk@TechFak.Uni-Bielefeld.DE>
Cc:
dnsop@cafax.se
From:
ted@tednet.nl (Ted Lindgreen)
Date:
Thu, 20 Mar 2003 13:42:59 +0100
In-Reply-To:
"Peter Koch's message as of Mar 20, 13:28"
Reply-To:
Ted.Lindgreen@tednet.nl
Sender:
owner-dnsop@cafax.se
Subject:
Re: secondary behavior with DNSSEC
[Quoting Peter Koch, on Mar 20, 13:28, in "Re: secondary behavi ..."] > > - suppose you re-sign the zone every X seconds > > - and the lifetime of the signatures is Y seconds > > then the expire value should be less or equal to Y-X. > > Shouldn't that just be expire <= Y? If you (plan to) re-sign in 5 days, > the lifetime is 7 days why should expire be 2 days only? OK, let's just write it out: With expire = Y: Suppose the last successful AXFR was on day 4. Then on day 7 the SIGs expire. From day 8 until day 12 the zone remains valid. With expire = Y-X: Last successful AXFR was on day 4. On day 7 both SIGs expire and zone has turned invalid. > In the general case, expire values should not shrink too much to avoid > problems caused by unreachable masters, syntax errors in zone files etc. > > > This way, the out-dated secondary would return "SERVFAIL" instead > > This should also be documented, because 1034 and friends do not explicitly > state what a server should do after the zone has expired. Nameservers > have behaved differently in the past and SERVFAIL is not necessarily the > best reaction from an operational perspective - e.g. if you face a "perfectly > lame" delegation I agree with the rest, -- ted #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.