On Jan 19, 2013, at 12:18 AM, Mike Jones <m...@mikejones.in> wrote: > On 18 January 2013 16:59, <wbr...@e1b.org> wrote: >> Chris Thompson wrote on 01/18/2013 10:06:25 AM: >> >>> Is fudging the expiry times like that really a good idea? If all >>> all validators allowed a 10% overrun, DNS operators would just >>> get 10% sloppier and we would back where we started. >> >> In some percentage of cases, that will most likely be true. In others, >> there may be an extenuating circumstance that delays the process. >> >> I think this comes under "be liberal in what you accept." > > It's being a bit too liberal if you accept a signature that doesn't > validate as if it was valid, I suspect (without confirming with the > authors) that the 10% fudge is probably more about clock inaccuracy > than anything else. The signatures should have been re-signed before > they expired, even if some subset of resolvers are willing to accept a > recently valid signature as being the same as a currently valid one. > > If I walk in to a shop with a discount voucher that says it expired > yesterday and I argued "well it was valid yesterday" I doubt many > places would respond with "oh, well in that case it's obviously valid > then". >
Actually, a large number of retailers will accept expired coupons and discounts, including many CVS, Bed Bath and Beyond, Harmon, Bath and Body Works, etc.. Now, that is their choice -- having someone decide for them whether or not they will accept the discount (which is IMO more like the Inbound case) would be different. W > If I administer a DNS zone and I know I can probably sign once per > week but occasionally it might be delayed, then I would be stupid to > only sign for 1 week at a time expecting everyone to continue to > accept my invalid signatures until I get around to fixing it. If it > could potentially take up to 6 months before you can get around to > re-signing your zone, then you should factor that in to your expiry > dates (and consider fixing whatever processes take you that long to > get a zone signed!) > > - Mike > _______________________________________________ > dns-operations mailing list > dns-operations@lists.dns-oarc.net > https://lists.dns-oarc.net/mailman/listinfo/dns-operations > dns-jobs mailing list > https://lists.dns-oarc.net/mailman/listinfo/dns-jobs > -- Curse the dark, or light a match. You decide, it's your dark. -- Valdis Kletnieks _______________________________________________ dns-operations mailing list dns-operations@lists.dns-oarc.net https://lists.dns-oarc.net/mailman/listinfo/dns-operations dns-jobs mailing list https://lists.dns-oarc.net/mailman/listinfo/dns-jobs
