[Dnssec-deployment] RRSIG for arpa expired
W.C.A. Wijngaards
wouter at NLnetLabs.nl
Mon Jun 7 04:37:27 EDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi Paul,
Because it does not validate any more we also cannot trust the TTL.
Such bogus data stick around about a minute to 15 minutes (insert
rollover-and-die-concerns) until it is re-tried. (Unless an upstream
cache does not do validation and keeps the bad data around for 2 days).
Best regards,
Wouter
On 06/06/2010 08:18 PM, Paul Wouters wrote:
> On Sun, 6 Jun 2010, Mark Andrews wrote:
>
>> It now has a valid signature. But one has to wait 2 days for the
>> old one to flush from the system.
>
> Couldnt a resolver drop those records with some exponential backup sceme to
> expediate fixed domains?
>
> Paul
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAkwMr8cACgkQkDLqNwOhpPheNACgob9TU6uX0qNdzXuc/IVrNCvj
QtQAnRvy8t4lZ0gd1JnAmdn6cF0l8ltG
=d4KI
-----END PGP SIGNATURE-----
More information about the Dnssec-deployment
mailing list