[dns-operations] Signing of the ARPA zone

João Damas joao at bondis.org
Fri Mar 26 00:05:13 UTC 2010


On 25 Mar 2010, at 14:15, Paul Vixie wrote:

>> From: Mark Andrews <marka at isc.org>
>> Date: Fri, 26 Mar 2010 05:07:26 +1100
>>
>> The TTL will be related to the cached data under arpa.  When the
>> offending data clears the cache it will correct itself.  This is  
>> likely
>> to be the ttl of the DNSKEY, DS or negative DS cache entry.
>
> so, to make it happen any faster than ttl expiry,

a highly desirable feature


> the caching validator
> would have to probe the authority (with a long retry interval) to  
> see if
> pre-expiry is warranted when validation fails in this way?

yep, there does not seem to be any other way (except perhaps keep a  
closer eye on all DS RRs, even when disguised as DLV RRs, and detect  
differences, but that gets ugly quickly






More information about the dns-operations mailing list