Florian Obser <[email protected]> writes: > How can the LocalRoot server figure out what the real expire time is > when using http? At what time should it stop using the zone file and > switch to querying the root name servers?
Ah, thanks for the clarification. There are a few options. One thing people have suggested to me elsewhere that would be helpful in general is to add a timestamp to the zone presentation format file. That'd help consumers of that (but not AXFRs). > The zone file might have sat on the CDN for 10 days already. If the > LocalRoot server starts the expire timer from when it fetched the zone > it will treat it as not-expired for an additional 7 days, at that point > the zone will be 17 days old and signatures will have expired. And looking at the signature times is definitely one of the possibilities, but I'm not sure that's the perfect solution either. Certainly if the signatures are expired then the zonemd record won't validate and the LocalRoot implementation will need to switch to regular DNS. At a minimum, it might be good to state signatures must be valid for at least X hours or something. Suggestions welcome! -- Wes Hardaker Google _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
