Viktor Dukhovni <ietf-dane(_at_)dukhovni(_dot_)org> wrote:
I highly recommend automated monitoring of RRSIG lifetimes of at
least the core zone apex records: DNSKEY, NS, SOA and MX across
all the nameservers, master and slaves.
Another thing you can do is get the re-signing schedule to match the
rfresh timer. E.g. in BIND the default sig-validity-interval of 30 days
replaces signatures when they have 7.5 days left, which works nicely with
an expiry timer of 1 week. Secondary servers should then expire the zone
before they go bogus.
Tony.
--
f.anthony.n.finch <dot(_at_)dotat(_dot_)at> http://dotat.at/
Northwest Fitzroy, Sole: Southwesterly 5 to 7, increasing gale 8 at times.
Rough or very rough. Rain or drizzle at times. Moderate or poor, occasionally
good.