Also see thread starting at:
http://darkwing.uoregon.edu/~llynch/dnsop/msg03465.html
Olaf was the last to respond:
> >>
> >> # When a slave server is out of sync with its master and data in
> >> # a zone is signed by expired signatures it may be better for the
> >> # slave server not to give out any answer.
> >>
> >> # We suggest the SOA expiration timer being approximately one
> >> # third or one fourth of the signature validity period. It will
> >> # allow problems with transfers from the master server to be
> >> # noticed before the actual signature time out.
> >>
> >> One wording choice I noticed - "smaller" rather than "shorter." When we
> >> are talking time durations, "longer" and "shorter" are more appropriate.
> >>
> >> I agree with the recommendation here, but I am not sure about the build
> >> up.
> >> I think that a slave ought to continue to serve up RRSIGs whose time has
> >> passed in the face of having lost contact with the master. For two
> >> reasons,
> >> one is that the clock on the slave might be wrong and the other is that
> >> resolvers might be willing to accept past-due data or are
> >>completely ignoring
> >> DNSSEC.
> >
> >But it will cause a black out for part of the clients that pull from
> >that "SOA timed out" server if the do not ignore DNSSEC and do not
> >ignore signature validity time. Lameness is probably better than
> >complete blackouts.
> >
> >We use the "it may be better" consciously.
> >
> >Unless there are objections or alternative text I intend to keep the
> >text as is.
This issue stands as is, waiting for objections or alternative text.
(off course we'll s/smaller/shorter/)
--Olaf
---------------------------------| Olaf M. Kolkman
---------------------------------| RIPE NCC
---------------------------------| JID: olaf at jabber.secret-wg.org
.
dnsop resources:_____________________________________________________
web user interface: http://darkwing.uoregon.edu/~llynch/dnsop.html
mhonarc archive: http://darkwing.uoregon.edu/~llynch/dnsop/index.html
