To:
dnsop@cafax.se
From:
Rob Austein <sra+dnsop@hactrn.net>
Date:
Tue, 01 Apr 2003 11:54:48 -0500
In-Reply-To:
<a05111b0bbaaf5e4fd552@[192.149.252.108]>
Sender:
owner-dnsop@cafax.se
User-Agent:
Wanderlust/2.8.1 (Something) Emacs/20.7 Mule/4.0 (HANANOEN)
Subject:
Re: secondary behavior with DNSSEC
At Tue, 1 Apr 2003 10:24:44 -0500, Edward Lewis wrote: > > This just occurred to me when writing something about lame server > checking (don't ask): > > DNSSEC issues ought to be relegated to the resolvers (recursive > servers) Verifiers, but otherwise, yes, that's what I meant > and be removed from authoritative servers. Ergo, I would > not bother to try to tie the expiration of signatures to the SOA > knobs - especially given the difference in 1) the nature of the times > (relative, absolute) and 2) the need (or non-need) to synchronize > clocks. > > I.e., the secondary should continue to issue expired signatures as > per the rules of the SOA knobs until the master is changed. Perhaps, > though, it would be good to suggest SOA knobs that are compatible > with signature validity spans and vice versa. However, interleaving > the two uses of time is something I'd refrain from. s/SOA knobs/values for the SOA knobs/, but otherwise yes, that's what I meant. #---------------------------------------------------------------------- # To unsubscribe, send a message to <dnsop-request@cafax.se>.