[Quoting Peter Koch, on Mar 20, 13:28, in "Re: secondary behavi ..."]
> > - suppose you re-sign the zone every X seconds > > - and the lifetime of the signatures is Y seconds > > then the expire value should be less or equal to Y-X. > > Shouldn't that just be expire <= Y? If you (plan to) re-sign in 5 days, > the lifetime is 7 days why should expire be 2 days only? OK, let's just write it out: With expire = Y: Suppose the last successful AXFR was on day 4. Then on day 7 the SIGs expire. From day 8 until day 12 the zone remains valid. With expire = Y-X: Last successful AXFR was on day 4. On day 7 both SIGs expire and zone has turned invalid. > In the general case, expire values should not shrink too much to avoid > problems caused by unreachable masters, syntax errors in zone files etc. > > > This way, the out-dated secondary would return "SERVFAIL" instead > > This should also be documented, because 1034 and friends do not explicitly > state what a server should do after the zone has expired. Nameservers > have behaved differently in the past and SERVFAIL is not necessarily the > best reaction from an operational perspective - e.g. if you face a "perfectly > lame" delegation I agree with the rest, -- ted #---------------------------------------------------------------------- # To unsubscribe, send a message to <[EMAIL PROTECTED]>.
