On Tue, Sep 24, 2024 at 12:42 AM Michael Paoli michael.paoli@berkeley.edu wrote:
Not 100% sure what's made that difference between the domains. Some are exact same gTLD and key types and sizes, and dnssec-policy and procedures, etc. used, yet still seeing somewhat different results. E.g. on sflug.com. vs. sf-lug.com.
So, e.g. compare both, right after first change, both have added new ZSK: https://dnsviz.net/d/sf-lug.com/ZvGgLQ/dnssec/ https://dnsviz.net/d/sflug.com/ZvFWjQ/dnssec/ but sf-lug.com dropped the old ZSK way too fast (about instantly, or within minutes) whereas that should've probably rolled over 1 or 24 hours, depending upon TTL thereof, and we can see with sflug.com looks like it at least started a proper rollover.