To:
Rob Austein <sra+dnsop@hactrn.net>
Cc:
dnsop@cafax.se
From:
Edward Lewis <edlewis@arin.net>
Date:
Tue, 1 Apr 2003 10:24:44 -0500
In-Reply-To:
<20030321011040.762E12329@thangorodrim.hactrn.net>
Sender:
owner-dnsop@cafax.se
Subject:
Re: secondary behavior with DNSSEC
This just occurred to me when writing something about lame server checking (don't ask): DNSSEC issues ought to be relegated to the resolvers (recursive servers) and be removed from authoritative servers. Ergo, I would not bother to try to tie the expiration of signatures to the SOA knobs - especially given the difference in 1) the nature of the times (relative, absolute) and 2) the need (or non-need) to synchronize clocks. I.e., the secondary should continue to issue expired signatures as per the rules of the SOA knobs until the master is changed. Perhaps, though, it would be good to suggest SOA knobs that are compatible with signature validity spans and vice versa. However, interleaving the two uses of time is something I'd refrain from. At 17:10 -0800 3/20/03, Rob Austein wrote: >At Fri, 21 Mar 2003 02:00:03 +0100, Olaf Kolkman wrote: >> >> Is it way out of line to have the zone expire if one of the SIGs over >> the SOA expires? >> >> Seems like a reasonable thing to do. > >Bit of a layering violation, isn't it? I'd prefer just to advise the >zone admin as best we can on how to set the knobs we already have. >#---------------------------------------------------------------------- ># To unsubscribe, send a message to <dnsop-request@cafax.se>. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis +1-703-227-9854 ARIN Research Engineer I've had it with world domination. The maintenance fees are too high. #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.