[dns-operations] Cloudflare DNS resolver ( Weird DNSSEC race condition

Tony Finch dot at dotat.at
Thu Aug 9 10:42:42 UTC 2018

Michael Sinatra <michael at brokendns.net> wrote:
> Are you aware of any other RFC sections which suggest timing of RRSIG
> introduction into the zone?  I know it's a significant issue for
> algorithm rollovers, but for new zones that are about to move from
> insecure to secure, are there good recommendations?  I cited 7583,
> section 3.3.5, but it only explicitly mentions DNSKEY presence.

I had a look at RFC 6781 but it also doesn't cover insecure -> secure

> My rule of thumb has been that DNSKEYs *and* RRSIGs should appear for at
> least 1x(Longest-TTL-in-zone), including the negative TTL.  But I don't
> know if that's been codified anywhere in an RFC or operational practice
> (or if that's even the correct rule-of-thumb, so I often do
> 2x(longest-TTL) just in case.

2xTTL agrees with what was observed during the recent .se algorithm rollover


f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
German Bight: Cyclonic 4 increasing 6 to gale 8, becoming westerly gale 8 to
storm 10 later, perhaps violent storm 11 later in north. Slight, becoming
moderate or rough. Rain or thundery showers. Good, occasionally poor.

More information about the dns-operations mailing list