On Fri, Nov 03, 2023 at 11:09:02AM +0100, Vladimír Čunát via dns-operations
wrote:
> On 01/11/2023 17.18, Viktor Dukhovni wrote:
> > Should authoritative [nameservers] have knobs to perform internal checks on
> > the signed zones they serve and at least syslog loud warnings?
>
> My understanding is that in this case the signer was producing loud syslog
> warnings immediately when the issue happened (i.e. long before validation
> could fail).
Sure, but the warnings were far from a clear indication that resigning
of the entire zone has stopped. In any case, logging isn't exactly the
best interface for realtime monitoring.
I do think that exposing the next expiration time for monitoring and
likewise a list of zones where that time is too soon would be of value
to operators. It doesn't obviate the need for active query probes,
those should still also happen, but I do think that operators would
benefit from such a (new) signal.
--
Viktor.
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
