On Feb 26, 2026, at 10:17, Wes Hardaker <[email protected]> wrote: > > Paul Hoffman <[email protected]> writes: > > Hi Paul, > >>> And looking at the signature times is definitely one of the >>> possibilities, but I'm not sure that's the perfect solution either. >> >> I'm interested in why not > > There is no reason it won't work, other than we would need a policy > somewhere stating that signature lengths must be X long minimum and > LocalRoot implementations must check the end-signature time as the > method of determining when their data is too old.
It's simpler than that: the resolver just looks at the RRSIG inception time and assumes that this is when the zone was first available. If that is more than the retry timer, it retries. > It is doable -- it's just not how we currently consider what signature > end-times are encoding. We can add that semantic, certainly, if we > document it carefully in probably multiple places. The heuristic would be based on inception times, not expiration. That is, the resolver doesn't wait for the zone to expire, it refreshes while the signatures are still valid. --Paul Hoffman _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
