[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]


To: Miek Gieben <miekg@nlnetlabs.nl>, Simon Josefsson <jas@extundo.com>
Cc: dnssec@cafax.se
From: Olafur Gudmundsson <ogud@ogud.com>
Date: Tue, 03 Jul 2001 17:11:07 -0400
Delivery-Date: Wed Jul 4 09:39:56 2001
In-Reply-To: <20010629164116.A18172@atoom.net>
Sender: owner-dnssec@cafax.se
Subject: Re: ttl problems in DNSSEC

At 10:41 AM 6/29/2001, Miek Gieben wrote:

> > [1]: perhaps the resolver is able to detect this situation by
> > comparing the key tag field on S++2(A) with K++1, and then try get
> > more recent data.
>then you propose that if data is BAD an extra query for the key most be
>done? I'm afraid this will yield too many extra queries...

Not a problem this will only happen once in a long while, thus when this
happens extra query is fine.
The real problem here is that K++1 was removed before data signed with it
expired from caches, this MUST only be done in emergency.
In most cases K++1 should remain in the keyset long enough for zone signed
by K++2 to propagate to slaves and then time out in caches.


         Olafur


Home | Date list | Subject list