Hi Matthijs, 10.03.2014 15:59, Matthijs Mekking kirjoitti: > Just some ideas of how we can fix it in the future. For a short term > work around, I assume monitoring is your friend.
Actually we already have a quite comprehensive monitoring, but the issue I described is a bit problematic, if the default PublishSafety value PT3600s is being used. In that case, one has to be able to react extremely quickly, no matter how soon your monitoring detects that the zone is not being updated. I'm not stating that this is a fundamental flaw in the design of OpenDNSSEC, but I do hope that ODS users recognize this and make their own assessment whether it would be good to use a bigger PublishSafety value than the default one. Personally I don't see any problem in using something like one week PublishSafety, just in case. I admit that the scenario I described is more or less a corner case, but the probability of such an issue is nevertheless more than zero. And during the early years of global DNSSEC deployment, we have seen quite a many corner cases... Antti _______________________________________________ Opendnssec-user mailing list [email protected] https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
