[Dnssec-deployment] RRSIG for arpa expired
wouter at NLnetLabs.nl
Mon Jun 7 04:37:27 EDT 2010
-----BEGIN PGP SIGNED MESSAGE-----
Because it does not validate any more we also cannot trust the TTL.
Such bogus data stick around about a minute to 15 minutes (insert
rollover-and-die-concerns) until it is re-tried. (Unless an upstream
cache does not do validation and keeps the bad data around for 2 days).
On 06/06/2010 08:18 PM, Paul Wouters wrote:
> On Sun, 6 Jun 2010, Mark Andrews wrote:
>> It now has a valid signature. But one has to wait 2 days for the
>> old one to flush from the system.
> Couldnt a resolver drop those records with some exponential backup sceme to
> expediate fixed domains?
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.14 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Dnssec-deployment