-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Op 10-01-13 11:13, Antti Ristimäki schreef: > > But if you can verify by DNS queries when the information has been > propagated to all authoritative servers, you can calculate the > rest using the TTL values.
I do like this approach as well. Though it adds more complexity, and should probably be turned off in test environments, it safeguards against publishing invalid signatures. We could argue that the complexity is probably too much in all situations, especially when DNS is broken on some authoritative, I think it's better to be safe than sorry, and one should manually override an error from ODS that no keys were propagated. After all, ODS is there to take the complex rollover and monitoring tasks out of our hands. - -- Antoin Verschuren Technical Policy Advisor SIDN Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands P: +31 26 3525500 M: +31 6 23368970 Mailto: [email protected] XMPP: [email protected] HTTP://www.sidn.nl/ -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) iQEcBAEBAgAGBQJQ7pl9AAoJEDqHrM883AgnTAcIAMZ8c2Oi7K8KwPagrhKhLBea SgxQrvaFvGruO1mZmOW08ec/PMDWC+tLaCNCllM3bRb4OUNmXdSHK1wsBnLFWKBA Y5mW1AG1MyOGh59mGL/+R0orPnuf+znt6X9MnSHHIEtzadjvfFXFW1XHLxtRewhk 04cvefL4Vhp0u6xei/keYwj7IrC0C+veKOtqnamSxkz8hIaPhBX7m9AnJ1bFA1SG QRIll2QswNmbgxZXqv73LtmVnJYcqrYlu9dFWE9TtD/3ugZBZNJz8EOUvunvf7oB MEW5wpzr1vyoyklFeibGlk/Cfg8vQE5ZwgtO/gkMBYC/sXGmePMU3nL+8VFjVCo= =AcYT -----END PGP SIGNATURE----- _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
