[dns-operations] Cloudflare DNS resolver (220.127.116.11): Weird DNSSEC race condition
dot at dotat.at
Thu Aug 9 10:42:42 UTC 2018
Michael Sinatra <michael at brokendns.net> wrote:
> Are you aware of any other RFC sections which suggest timing of RRSIG
> introduction into the zone? I know it's a significant issue for
> algorithm rollovers, but for new zones that are about to move from
> insecure to secure, are there good recommendations? I cited 7583,
> section 3.3.5, but it only explicitly mentions DNSKEY presence.
I had a look at RFC 6781 but it also doesn't cover insecure -> secure
> My rule of thumb has been that DNSKEYs *and* RRSIGs should appear for at
> least 1x(Longest-TTL-in-zone), including the negative TTL. But I don't
> know if that's been codified anywhere in an RFC or operational practice
> (or if that's even the correct rule-of-thumb, so I often do
> 2x(longest-TTL) just in case.
2xTTL agrees with what was observed during the recent .se algorithm rollover
f.anthony.n.finch <dot at dotat.at> http://dotat.at/
German Bight: Cyclonic 4 increasing 6 to gale 8, becoming westerly gale 8 to
storm 10 later, perhaps violent storm 11 later in north. Slight, becoming
moderate or rough. Rain or thundery showers. Good, occasionally poor.
More information about the dns-operations