[Opendnssec-user] timings and ttl

Mathieu Arnold mat at mat.cc
Thu Sep 19 16:20:55 UTC 2013


Hi,

I was just wondering about the TTL of RRSIGs, say I have my ZSK rollover
set for every 30 days, if I add a record with a 10 weeks TTL, (yes, that's
a bit stupid, but, for the sake of the argument,) its RRSIG will also have
a 10 weeks TTL, and will still be alive in a cache somewhere long after the
ZSK is gone and buried.

So, is it a bad thing and RRSIG should not have their TTL to more than X,
or I'm overthinking it and we don't care because the cache would have
verified that the RRSIG is authentic when getting it and the fact that the
key it’s referencing is not there any more is not important ?

-- 
Mathieu Arnold



More information about the Opendnssec-user mailing list