[dns-operations] Cloudflare DNS resolver (1.1.1.1): Weird DNSSEC race condition
Tony Finch
dot at dotat.at
Thu Aug 9 10:42:42 UTC 2018
Michael Sinatra <michael at brokendns.net> wrote:
>
> Are you aware of any other RFC sections which suggest timing of RRSIG
> introduction into the zone? I know it's a significant issue for
> algorithm rollovers, but for new zones that are about to move from
> insecure to secure, are there good recommendations? I cited 7583,
> section 3.3.5, but it only explicitly mentions DNSKEY presence.
I had a look at RFC 6781 but it also doesn't cover insecure -> secure
transitions.
> My rule of thumb has been that DNSKEYs *and* RRSIGs should appear for at
> least 1x(Longest-TTL-in-zone), including the negative TTL. But I don't
> know if that's been codified anywhere in an RFC or operational practice
> (or if that's even the correct rule-of-thumb, so I often do
> 2x(longest-TTL) just in case.
2xTTL agrees with what was observed during the recent .se algorithm rollover
https://www.sidnlabs.nl/a/weblog/keep-m-rolling-monitoring-ses-dnssec-algorithm-rollover
Tony.
--
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
German Bight: Cyclonic 4 increasing 6 to gale 8, becoming westerly gale 8 to
storm 10 later, perhaps violent storm 11 later in north. Slight, becoming
moderate or rough. Rain or thundery showers. Good, occasionally poor.
More information about the dns-operations
mailing list