On Feb 26, 2026, at 07:50, Jim Reid <[email protected]> wrote: > >> On 26 Feb 2026, at 15:11, Florian Obser <[email protected]> wrote: >> >> How can the LocalRoot server figure out what the real expire time is >> when using http? At what time should it stop using the zone file and >> switch to querying the root name servers? > > Surely the SOA record's metadata answers those questions? Maybe I'm missing > something.
Not surely. The scheme of setting the SOA serial to be based on the current date is cute but not required. Even if IANA had a rule that it should always start with the date that the zone was put together, if they accidentally mess up once and make it a much larger number, the rule is dead. They can't later go back to using dates again. Having said that: On Feb 26, 2026, at 07:43, Wes Hardaker <[email protected]> wrote: > And looking at the signature times is definitely one of the > possibilities, but I'm not sure that's the perfect solution either. I'm interested in why not. If those datetimes are wrong when the zone is emitted, every validator that checks times will immediately scream. If a resolver gets a zone over HTTPS and the signing time is more in the past than that resolver's refresh time, then it knows it should refresh now. --Paul Hoffman _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
