[Opendnssec-user] key ds-seen / Registry Anycast DNS
Klaus Darilion
klaus.mailinglists at pernau.at
Thu Dec 19 15:17:33 UTC 2013
On 19.12.2013 14:07, Volker Janzen wrote:
> <Parent>
> <PropagationDelay>PT9999S</PropagationDelay>
> <DS>
> <TTL>PT3600S</TTL>
> </DS>
> <SOA>
> <TTL>PT172800S</TTL>
> <Minimum>PT10800S</Minimum>
> </SOA>
> </Parent>
>
> And I think this does not match all TLD policies (found already DS
> records that are valid for 86400 seconds at TLD level. I'll now check
> the TLDs I want to use and use the maximum TTL for the specified values.
>
> In this case I'm able to just check for the DS to be found, call
> ds-seen and that should be enough to do
9999 seconds are IMO a bit low - if a name server of the parent zone is
~3 hours behind, validation may fail. I think 3 hours of "out-ofsync"
may happen also for TLDs.
Unfortunately I do not know how the parents SOA TTL+Minimum influences
the rollover. Maybe someone can enlighten us.
regards
Klaus
More information about the Opendnssec-user
mailing list