[Quoting Miek Gieben, on Mar 20, 11:25, in "secondary behavior w ..."]
> One of the secondaries for the signed .nl zone has not been updated for some > time now. The signatures it carries are expired on March 10. This means that > whoever was using this server only gets bad (authoritative) data for .nl. > If this was for real .nl would have dropped of the earth for all user of this > nameserver. A way to prevent this from happening may be to choose the "expire" time in the SOA more carefully: - suppose you re-sign the zone every X seconds - and the lifetime of the signatures is Y seconds then the expire value should be less or equal to Y-X. This way, the out-dated secondary would return "SERVFAIL" instead of authoritatively returning expired signatures. In practical values: in the experimental DNSSEC .nl zone we re-sign daily, the signatures live 7 days, thus the expire time should be 6 days (which is much less than the current actual value of 4 weeks!). I think this should be documented in a BCP. -- ted #---------------------------------------------------------------------- # To unsubscribe, send a message to <[EMAIL PROTECTED]>.
