> A way to prevent this from happening may be to choose > the "expire" time in the SOA more carefully:
Which is the first time we have an upper bound for the expire value. > - suppose you re-sign the zone every X seconds > - and the lifetime of the signatures is Y seconds > then the expire value should be less or equal to Y-X. Shouldn't that just be expire <= Y? If you (plan to) re-sign in 5 days, the lifetime is 7 days why should expire be 2 days only? In the general case, expire values should not shrink too much to avoid problems caused by unreachable masters, syntax errors in zone files etc. > This way, the out-dated secondary would return "SERVFAIL" instead This should also be documented, because 1034 and friends do not explicitly state what a server should do after the zone has expired. Nameservers have behaved differently in the past and SERVFAIL is not necessarily the best reaction from an operational perspective - e.g. if you face a "perfectly lame" delegation -Peter #---------------------------------------------------------------------- # To unsubscribe, send a message to <[EMAIL PROTECTED]>.
