I still think, stale or not, having some idea of what the zone's policy is regarding signature updates would be useful. I've been running signature expiry monitoring scripts for a few years and having some idea of what is "ok" for a zone would be very helpful - particularly those zones that have a policy of not refreshing signatures a day or two before expiry (e.g. red ones on http://www.dnssek.info/ )- which I would normally consider a concern and start firing off warning emails.
-Rick > -----Original Message----- > From: dnsop-boun...@ietf.org [mailto:dnsop-boun...@ietf.org] On Behalf Of Joe > Abley > Sent: Thursday, June 02, 2011 3:22 AM > To: João Damas > Cc: IETF DNSOP WG > Subject: Re: [DNSOP] watching for signature expiration in zones you don't sign > > > On 2011-06-02, at 13:17, João Damas wrote: > > > at first glance it might look useful, but this is the kind of info that > > tends to go stale and then > what do you do when there is a mismatch? > > I guess you flag it for manual investigation. The alternative is that you > don't really know when a > situation is actually bad until the signature expires, and it'd be nice to > have some early warning. > > I could maintain a manual table of what "bad" means for particular zones > based on observation, but > that seems even more likely to become stale. > > > Would you invalidate a still-valid signature if it doesn't conform to > > policy in case someone else is > signing the zone other than the authorised party? > > Nope, but (especially in these early days of deployment) perhaps it might > merit a note to an > administrator, or a heads-up to a public list. > > > Would you send mail to the zone admin? (and knowing the people on this > > list, that would be a lot > email on top of that admin) :) > > > > Shouldn't this sort of admin work be done by the admin, either internally > > or by outsourcing to some > other organisation? > > I guess my point is that unless you're the person involved in signing a > particular zone, telling when > there's a signature expiration problem looming is not easy. > > > Joe > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
