[Opendnssec-user] key ds-seen / Registry Anycast DNS
klaus.mailinglists at pernau.at
Thu Dec 19 15:17:33 UTC 2013
On 19.12.2013 14:07, Volker Janzen wrote:
> And I think this does not match all TLD policies (found already DS
> records that are valid for 86400 seconds at TLD level. I'll now check
> the TLDs I want to use and use the maximum TTL for the specified values.
> In this case I'm able to just check for the DS to be found, call
> ds-seen and that should be enough to do
9999 seconds are IMO a bit low - if a name server of the parent zone is
~3 hours behind, validation may fail. I think 3 hours of "out-ofsync"
may happen also for TLDs.
Unfortunately I do not know how the parents SOA TTL+Minimum influences
the rollover. Maybe someone can enlighten us.
More information about the Opendnssec-user