[dns-operations] Trouble looking up various axc.nl TLSA RRs via Cloudflare DNS
Mukund Sivaraman
muks at mukund.org
Thu Oct 3 19:27:04 UTC 2019
On Thu, Oct 03, 2019 at 01:55:04PM -0400, Viktor Dukhovni wrote:
> Probably NTAs based on such data should have a much shorter shelf-life
> than two years, and require some explicit re-confirmation.
You are probably aware that RFC 7646 recommends that NTAs should not
have a lifetime of more than 1 week.
Implementations differ in performing validation tests during NTA
lifetime, and caching entries past NTA removal vs. what's in the RFC.
It is advisable to perform SOA validation as recommended by the RFC
periodically during the lifetime of the NTA.
Mukund
More information about the dns-operations
mailing list