Aug. 10, 2017
5:59 p.m.
On Thu, Aug 10, 2017 at 03:19:42PM +0000, Paul Hoffman wrote:
Doesn't the actual time depend on when they grabbed the key? Thus, isn't there a 48-hour window for when other people will have the new key be trusted? Or am I missing something about RFC 5011?
Correct, it would be 30 days after the first time the key was seen in a refresh query. The root DNSKEY TTL is two days and I believe the refresh query interval is half the TTL, so unlucky timing in a forwarding resolver could delay discovery of a new key up to three days. -- Evan Hunt -- each@isc.org Internet Systems Consortium, Inc.