[Opendnssec-user] PublishSafety default value
Antoin Verschuren
antoin.verschuren at sidn.nl
Thu Jan 10 10:35:49 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Op 10-01-13 11:13, Antti Ristimäki schreef:
>
> But if you can verify by DNS queries when the information has been
> propagated to all authoritative servers, you can calculate the
> rest using the TTL values.
I do like this approach as well.
Though it adds more complexity, and should probably be turned off in
test environments, it safeguards against publishing invalid signatures.
We could argue that the complexity is probably too much in all
situations, especially when DNS is broken on some authoritative, I
think it's better to be safe than sorry, and one should manually
override an error from ODS that no keys were propagated. After all,
ODS is there to take the complex rollover and monitoring tasks out of
our hands.
- --
Antoin Verschuren
Technical Policy Advisor SIDN
Meander 501, PO Box 5022, 6802 EA Arnhem, The Netherlands
P: +31 26 3525500 M: +31 6 23368970
Mailto: antoin.verschuren at sidn.nl
XMPP: antoin.verschuren at jabber.sidn.nl
HTTP://www.sidn.nl/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
iQEcBAEBAgAGBQJQ7pl9AAoJEDqHrM883AgnTAcIAMZ8c2Oi7K8KwPagrhKhLBea
SgxQrvaFvGruO1mZmOW08ec/PMDWC+tLaCNCllM3bRb4OUNmXdSHK1wsBnLFWKBA
Y5mW1AG1MyOGh59mGL/+R0orPnuf+znt6X9MnSHHIEtzadjvfFXFW1XHLxtRewhk
04cvefL4Vhp0u6xei/keYwj7IrC0C+veKOtqnamSxkz8hIaPhBX7m9AnJ1bFA1SG
QRIll2QswNmbgxZXqv73LtmVnJYcqrYlu9dFWE9TtD/3ugZBZNJz8EOUvunvf7oB
MEW5wpzr1vyoyklFeibGlk/Cfg8vQE5ZwgtO/gkMBYC/sXGmePMU3nL+8VFjVCo=
=AcYT
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list