On Thu, 2021-09-30 at 20:00 +0200, Peter van Dijk wrote: > Judging from the DS as I see it coming out of some resolvers, the DS is > about 15 hours old at this point (so, introduced around 03:15 UTC I > think). Those cached DSes still have 10 hours to go.
It turns out the resolvers I was looking at have a 12 hour TTL cap on everything, so my 03:15 UTC calculation is in accurate, and introduction of the DS could indeed have been up to 12 hours later. Indeed, dnsviz sees no DS at 12:55 UTC: https://dnsviz.net/d/slack.com/YVWzsA/dnssec/ but it has one at 15:30 UTC: https://dnsviz.net/d/slack.com/YVXX_g/dnssec/ and gone again at 17:24 UTC: https://dnsviz.net/d/slack.com/YVXy2Q/dnssec/ (note that that last URL also shows DNSKEY&RRSIGs are gone). Kind regards, -- Peter van Dijk PowerDNS.COM BV - https://www.powerdns.com/ _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
