[arin-tech-discuss] [arin-ppml] Just so it is recorded here (DNSSEC.. ) outages today..

Mark Kosters markk at arin.net
Thu Mar 10 10:22:37 EST 2016

Hi John

On 3/10/16, 7:15 AM, "John Curran" <jcurran at arin.net> wrote:

>On Mar 9, 2016, at 8:50 PM, Mark Kosters <markk at arin.net> wrote:
>> ...
>>>> For dnssec I suppose you'd be doing the above but pulling rrsig for
>>>> the SOA and making sure they are all the same.
>> What we want to do is to catch it before the sig expires. Do you have
>> ideas?
>Mark - 
>   How often is that refreshed and what the is signature lifetime?

In the normal course of operations, zones are generated six times a day to
accommodate zone snippets from other RIRs. These snippets are included in
the zone, signed, and pushed out to the authoritative servers from the
distribution master. Any changes made to the zone between the zone
generation intervals are pushed out by ixfr. Regardless if what time  it
is, if you make any delegation changes within ARIN Online, these changes
are normally reflected on our authoritative servers within five minutes.

The DNSSEC signatures are currently set to expire 14 days and 1 hour from
the time signed by the Secure64 box.


More information about the arin-tech-discuss mailing list