[Opendnssec-user] PublishSafety default value

Casper Gielen c.gielen at uvt.nl
Wed Jan 9 14:57:33 UTC 2013


Op 09-01-13 15:31, WBrown at e1b.org schreef:
> Would it make more sense to query DNS to verify that it really and truly 
> has been published rather than assuming it has based on some timer?

It depends on your environment. While you can query all authorative
servers you probably don't know every DNS-cache that might store this
information.

However, an additional check may be usefull under some circumstances.
Maybe even a combination "wait 1 more hour after the key is first seen
on the dns-server"
-- 
Casper Gielen <cgielen at uvt.nl> | LIS UNIX
PGP fingerprint = 16BD 2C9F 8156 C242 F981  63B8 2214 083C F80E 4AF7

Universiteit van Tilburg | Postbus 90153, 5000 LE
Warandelaan 2 | Telefoon 013 466 4100 | G 236 | http://www.uvt.nl





More information about the Opendnssec-user mailing list