[dns-operations] anchors.atlas.ripe.net/ripe.net - DNSSEC bogus due expiration
Viktor Dukhovni
ietf-dane at dukhovni.org
Fri Nov 3 14:54:26 UTC 2023
On Fri, Nov 03, 2023 at 11:09:02AM +0100, Vladimír Čunát via dns-operations wrote:
> On 01/11/2023 17.18, Viktor Dukhovni wrote:
> > Should authoritative [nameservers] have knobs to perform internal checks on
> > the signed zones they serve and at least syslog loud warnings?
>
> My understanding is that in this case the signer was producing loud syslog
> warnings immediately when the issue happened (i.e. long before validation
> could fail).
Sure, but the warnings were far from a clear indication that resigning
of the entire zone has stopped. In any case, logging isn't exactly the
best interface for realtime monitoring.
I do think that exposing the next expiration time for monitoring and
likewise a list of zones where that time is too soon would be of value
to operators. It doesn't obviate the need for active query probes,
those should still also happen, but I do think that operators would
benefit from such a (new) signal.
--
Viktor.
More information about the dns-operations
mailing list