To:
Miek Gieben <miekg@nlnetlabs.nl>, Simon Josefsson <jas@extundo.com>
Cc:
dnssec@cafax.se
From:
Olafur Gudmundsson <ogud@ogud.com>
Date:
Tue, 03 Jul 2001 17:11:07 -0400
Delivery-Date:
Wed Jul 4 09:39:56 2001
In-Reply-To:
<20010629164116.A18172@atoom.net>
Sender:
owner-dnssec@cafax.se
Subject:
Re: ttl problems in DNSSEC
At 10:41 AM 6/29/2001, Miek Gieben wrote: > > [1]: perhaps the resolver is able to detect this situation by > > comparing the key tag field on S++2(A) with K++1, and then try get > > more recent data. >then you propose that if data is BAD an extra query for the key most be >done? I'm afraid this will yield too many extra queries... Not a problem this will only happen once in a long while, thus when this happens extra query is fine. The real problem here is that K++1 was removed before data signed with it expired from caches, this MUST only be done in emergency. In most cases K++1 should remain in the keyset long enough for zone signed by K++2 to propagate to slaves and then time out in caches. Olafur