31 Srp
2022
31 Srp
'22
14:30
Hi Daniel,
On 31.08.22 14:15, Daniel Salzman wrote:
I understand your concerns but still you can
explicitly set
rrsig-refresh.
Absolutely, as I said I'm happy to adjust the configuration to fit our
specific deployment. I'm just unsure if rrsig-refresh or
propagation-delay is the correct option to tune. Seems I'm interpreting
the options differently than Libor does.
Based on our experience DNS deployments are very
diverse. So what is
the right default value?
I do not think that the new default value is necessarily bad, it is just
that it was a significant change that we did not recognize as such. For
our specific use case, the old default fit perfectly, but I'm definitely
aware that this might not be the case for everyone and I do not propose
to go back to the old default.
Maybe would make sense to include some considerations for this value in
the docs to give people a bit more guidance for tuning this aspect of
the DNSSEC policy.
Regards
André