My DNSSEC-signed zone bya.org.hk has SOA expiration timer set to one week (604800) which is not aligned with the published DNSSEC operational practices, RFC4614 bis. It is advisable to have SOA expiration timer between 1/3 and 1/4 size of the signature validity period (30 days = 2592000 seconds). If this is not handled properly, secondary nameserver could keep serving out of date RRSIGs. This can only happen when a primary nameserver is unreachable for AFXR update.
I have decided to set it to 720000 which is easy to remember.
No comments:
Post a Comment