In message <e754e90906231830g5d4a465y29251ce27d58a...@mail.gmail.com>, R Dicair e writes: > On Tue, Jun 23, 2009 at 8:10 PM, Mark Andrews<ma...@isc.org> wrote: > > > > Even if the update were published on the master instananeo= > usly > > you still need to wait for the zone to transfer to all the > > slaves and for the old DLV records to timeout of caches. > > Even 24 hrs after? My zone ttls are set for 3 hrs. Its now been ~36 > hrs since I put the new keys up on DLV, and still they cannot be > validated. > Is this due to the above?
Yes the updates are slow because we had some disasters with the automation but we intend to turn that on again soon. That being said you really do need to check that the new data has been published before you start the wait periods. That is part of the key rollover protocol. Automation will eventually do this checking and waiting for you as the tools get better but for the moment you need to do it. Note one really should be doing the same sorts of things for nameservers when they are being changed. Configure new nameservers before adding them (A/AAAA/NS). Wait for the old nameservers references (A/AAAA/NS) to expire from caches before decomissioning them. Have all the nameservers (new and old) for the zone serve the same content. Failure to do this also causes problems. Note you are not alone here. Others have done the same sort of thing before even those that should have known better. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
