To:
Ted.Lindgreen@tednet.nl
Cc:
Miek Gieben <miekg@atoom.net>, dnsop@cafax.se
From:
Edward Lewis <edlewis@arin.net>
Date:
Thu, 20 Mar 2003 17:19:49 -0800
In-Reply-To:
<200303201037.h2KAbw1B013954@omval.tednet.nl>
Sender:
owner-dnsop@cafax.se
Subject:
Re: secondary behavior with DNSSEC
At 11:37 +0100 3/20/03, Ted Lindgreen wrote: >A way to prevent this from happening may be to choose >the "expire" time in the SOA more carefully: The zone expiry time should be set to cover the span of time which a secondary can reliably serve a zone in the absence of a responsive master. It's fairly obvious that a secondary, in the absence of a responsive master, can only operate until the signatures expire. Problem: the expiry time is relative to the last time the zone is refreshed, the signatures expire at an absolute time. Hmmm. Okay, I don't have a quick answer here. Rats. But don't link the two clocks together. Expiry is relative, needs no synchronized time source. Expiration is absolute, needs a coordinated time. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-703-227-9854 ARIN Research Engineer #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.