[Opendnssec-user] PublishSafety default value
Matthijs Mekking
matthijs at nlnetlabs.nl
Thu Jan 10 11:42:28 UTC 2013
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/10/2013 11:13 AM, Antti Ristimäki wrote:
> 09.01.2013 16:57, Casper Gielen kirjoitti:
>> Op 09-01-13 15:31, WBrown at e1b.org schreef:
>>> Would it make more sense to query DNS to verify that it really
>>> and truly has been published rather than assuming it has based
>>> on some timer?
>>
>> It depends on your environment. While you can query all
>> authorative servers you probably don't know every DNS-cache that
>> might store this information.
I think things are getting mixed up here. The PublishSafety is not
related to the DNS caches, it is a safety parameter to cover
(unexpected) events that may delay publication on all *authoritative*
name servers.
You cannot be sure of whether the data is stored in a DNS-cache or
not. However, that doesn't matter. You want the resolvers to use the
new published data, either they get it from their cache or they fetch
it from one of the authoritative name servers, e.g. the data is said
to be propagated to the resolvers.
> But if you can verify by DNS queries when the information has been
> propagated to all authoritative servers, you can calculate the
> rest using the TTL values.
Correct.
Best regards,
Matthijs
>
> Antti
>
> _______________________________________________ Opendnssec-user
> mailing list Opendnssec-user at lists.opendnssec.org
> https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with undefined - http://www.enigmail.net/
iQEcBAEBAgAGBQJQ7qkkAAoJEA8yVCPsQCW5xvAH/AoCa4cvUAN6icf6Z+JuyKu6
bIeLNApt/RGbuYf8hDiqSbgEqv3gbltBkjiGO4CbGJZDR3syCxMFZn7NFsyGdkKA
l/T4+7js3j5Ud6TuDZp4ry+ph73lODJK8WCuzzgXZNRL9WqHC3uHc2VkrakYTFGy
wemvbytKMNBKmijx0J0NQ4AIsoxu6AcJGPkn1wkNW0892IB/9Kacpfp2RYg2ubiy
H9mr2KnOe4ijt318wO680gqognBCzmHx+fAlrWyte8mPN6cx3HUVkaHA2kjE0Z/S
jNYI/XVYgbVDBJ1iwy0MuamiWmSd/IMEV7e+SIVN5yKfeXnbSYz8ojm9FV5uGqI=
=3yyg
-----END PGP SIGNATURE-----
More information about the Opendnssec-user
mailing list