> On 27 Feb 2026, at 04:12, Paul Hoffman <[email protected]> wrote: > > On Feb 26, 2026, at 07:50, Jim Reid <[email protected]> wrote: >> >>> On 26 Feb 2026, at 15:11, Florian Obser <[email protected]> wrote: >>> >>> How can the LocalRoot server figure out what the real expire time is >>> when using http? At what time should it stop using the zone file and >>> switch to querying the root name servers? >> >> Surely the SOA record's metadata answers those questions? Maybe I'm missing >> something. > > Not surely. The scheme of setting the SOA serial to be based on the current > date is cute but not required. Even if IANA had a rule that it should always > start with the date that the zone was put together, if they accidentally mess > up once and make it a much larger number, the rule is dead. They can't later > go back to using dates again.
You can but it requires work. > Having said that: > > On Feb 26, 2026, at 07:43, Wes Hardaker <[email protected]> wrote: > >> And looking at the signature times is definitely one of the >> possibilities, but I'm not sure that's the perfect solution either. > > I'm interested in why not. If those datetimes are wrong when the zone is > emitted, every validator that checks times will immediately scream. If a > resolver gets a zone over HTTPS and the signing time is more in the past than > that resolver's refresh time, then it knows it should refresh now. Signing time and refresh times are independent of each other. > --Paul Hoffman > > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
