[Dnssec-deployment] Expired RRSIGs for .be
steve at shinkuro.com
Fri Oct 8 05:51:28 EDT 2010
I agree strongly there should be monitoring and alerts for expiring signatures. I also think it's useful to separate "what" from "who" in the sense that there are multiple parties who can do the monitoring. I think as a community we should develop and promulgate a best practice regarding signature expirations. I have in mind something of the form, "Whenever the signature expiration is within <time>, there should be a replacement signature in place. If there is relatively common agreement about such a best practice, the monitoring could be done by the parent, the child, a third party or all of them, and it can be built into the tools. Because DNSSEC requires active change on a regular basis, the tools and practices have to evolve to include active monitoring. Otherwise we will see a fairly steady stream of these expiration incidents.
On Oct 8, 2010, at 4:01 AM, Rickard Dahlstrand wrote:
> I for one thinks that all TLDs should have monitoring active to ensure that the availability and quality of the zone is upheld.
> We use these tools:
> But are thinking of moving onto these since they are being maintained.
> 8 okt 2010 kl. 09.26 skrev Jakob Schlyter:
>> Every time this happens, I kind of wonder why there is no monitoring system triggering an alarm. If the TLD:s themselves doesn't operate such systems, perhaps there is a need (aka "market") for someone else to operate one? If not only to take good care of DNSSEC's reputation.
More information about the Dnssec-deployment