[Dnssec-deployment] RRSIG for arpa expired

W.C.A. Wijngaards wouter at NLnetLabs.nl
Mon Jun 7 04:37:27 EDT 2010


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Paul,

Because it does not validate any more we also cannot trust the TTL.
Such bogus data stick around about a minute to 15 minutes (insert
rollover-and-die-concerns) until it is re-tried.  (Unless an upstream
cache does not do validation and keeps the bad data around for 2 days).

Best regards,
   Wouter

On 06/06/2010 08:18 PM, Paul Wouters wrote:
> On Sun, 6 Jun 2010, Mark Andrews wrote:
> 
>> It now has a valid signature.  But one has to wait 2 days for the
>> old one to flush from the system.
> 
> Couldnt a resolver drop those records with some exponential backup sceme to
> expediate fixed domains?
> 
> Paul

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAkwMr8cACgkQkDLqNwOhpPheNACgob9TU6uX0qNdzXuc/IVrNCvj
QtQAnRvy8t4lZ0gd1JnAmdn6cF0l8ltG
=d4KI
-----END PGP SIGNATURE-----


More information about the Dnssec-deployment mailing list