Viktor Dukhovni <ietf-dane@xxxxxxxxxxxx> wrote: > > I highly recommend automated monitoring of RRSIG lifetimes of at > least the core zone apex records: DNSKEY, NS, SOA and MX across > all the nameservers, master and slaves. Another thing you can do is get the re-signing schedule to match the rfresh timer. E.g. in BIND the default sig-validity-interval of 30 days replaces signatures when they have 7.5 days left, which works nicely with an expiry timer of 1 week. Secondary servers should then expire the zone before they go bogus. Tony. -- f.anthony.n.finch <dot@xxxxxxxx> http://dotat.at/ Northwest Fitzroy, Sole: Southwesterly 5 to 7, increasing gale 8 at times. Rough or very rough. Rain or drizzle at times. Moderate or poor, occasionally good.