At Tue, 1 Apr 2003 10:24:44 -0500, Edward Lewis wrote: > > This just occurred to me when writing something about lame server > checking (don't ask): > > DNSSEC issues ought to be relegated to the resolvers (recursive > servers)
Verifiers, but otherwise, yes, that's what I meant > and be removed from authoritative servers. Ergo, I would > not bother to try to tie the expiration of signatures to the SOA > knobs - especially given the difference in 1) the nature of the times > (relative, absolute) and 2) the need (or non-need) to synchronize > clocks. > > I.e., the secondary should continue to issue expired signatures as > per the rules of the SOA knobs until the master is changed. Perhaps, > though, it would be good to suggest SOA knobs that are compatible > with signature validity spans and vice versa. However, interleaving > the two uses of time is something I'd refrain from. s/SOA knobs/values for the SOA knobs/, but otherwise yes, that's what I meant. #---------------------------------------------------------------------- # To unsubscribe, send a message to <[EMAIL PROTECTED]>.
