Marc Lampo <marc.la...@eurid.eu> wrote: > > Experimenting with key roll-over timing conditions, with a Bind 9.7.3 > setup, I noticed, today, that this version does not re-validate DNSSEC > data, once something makes it into its cache. > > I wonder though, if that is correct ?
Yes. When you publish a signed zone you must be aware of the timing constraints that surround key changes, caused by the lengths of TTLs and the signature validity periods. Validators are allowed to assume that you do not delete any keys while there are still signatures out there that are within their validity periods. There is no way for a publisher to explicitly signal a key rollover to validtors. This is the most operationally subtle part of DNSSEC... > If I overlooked something obvious, sorry for the interrupt (but thanks > for sending clarifying references). http://tools.ietf.org/html/draft-ietf-dnsop-dnssec-key-timing Tony. -- f.anthony.n.finch <d...@dotat.at> http://dotat.at/ Humber: Northwest veering northeast, 3 or 4. Slight. Showers. Good. _______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
