> On 27 Feb 2026, at 02:11, Florian Obser <[email protected]> wrote: > > On 2026-02-25 15:43 -08, Wes Hardaker <[email protected]> wrote: >> Florian Obser <[email protected]> writes: >> >>> How about this, in the main document, section 4, adding "It MUST NOT be >>> longer than...": >> [...] >> >> Change added! Thanks for the concrete suggestion. >> >>> Now, the problem with the SOA expiry value is that it gets more out of >>> whack the longer your transfer chain is. >>> It seems unlikely to me that the list from >>> draft-hardaker-dnsop-root-zone-publication-points will list the RZM's >>> distribution servers, so everything is already one hop removed from the >>> primary. >> >> FYI, the publication points will list the internic.net sources, as well >> as the {lax,iad}.icann.dns.org AXFR sources. The original version >> didn't because I had not received authorization to list them as examples >> yet, but have now. I have not asked the RZM if they wanted to be listed >> (and how and where), nor have they offered. Other sources remain to be >> seen. But the draft contains an example list, and IANA will be >> responsible for defining the real list. >> >>> 1. I think we need to mention RFC 7314 in the main document: >>> "A LocalRoot implementation SHOULD (MUST?) use RFC 7314 EDNS EXPIRE >>> Option." >> >> Add! >> >>> 2. The distribution points MUST support RFC 7314. >> >> [...] >> >> That's a good point to consider and I suspect we need to think about it >> further and discuss it. >> >> Certainly for *XFR targets 7314 should likely implemented when possible >> on the server side. I think. But is it a mandatory requirement or not? >> That I'm less convinced by. >> >>> 3. Figure out what to do about http / CDNs. I suppose we could use the >>> "last-modified" header? >> >> That has been discussed some and we do talk about using the HEAD option >> for HTTP requests to reduce the overhead when the zone file hasn't >> changed. >> > > You might have misunderstood what I was going on about, let me try again. > > How can the LocalRoot server figure out what the real expire time is > when using http? At what time should it stop using the zone file and > switch to querying the root name servers? > > The zone file might have sat on the CDN for 10 days already. If the > LocalRoot server starts the expire timer from when it fetched the zone > it will treat it as not-expired for an additional 7 days, at that point > the zone will be 17 days old and signatures will have expired.
Additionally with AXFR/IXFR we have EDNS EXPIRE which exists to address the expiry issue when not fetching from the authoritative source. >> -- >> Wes Hardaker >> Google >> >> _______________________________________________ >> DNSOP mailing list -- [email protected] >> To unsubscribe send an email to [email protected] > > -- > In my defence, I have been left unsupervised. > > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
