[Opendnssec-user] timings and ttl

Joe Abley jabley at hopcount.ca
Thu Sep 19 17:32:12 UTC 2013 

On 2013-09-19, at 12:20, Mathieu Arnold <mat at mat.cc> wrote:

> I was just wondering about the TTL of RRSIGs, say I have my ZSK rollover
> set for every 30 days, if I add a record with a 10 weeks TTL, (yes, that's
> a bit stupid, but, for the sake of the argument,) its RRSIG will also have
> a 10 weeks TTL, and will still be alive in a cache somewhere long after the
> ZSK is gone and buried.
> 
> So, is it a bad thing and RRSIG should not have their TTL to more than X,
> or I'm overthinking it and we don't care because the cache would have
> verified that the RRSIG is authentic when getting it and the fact that the
> key it’s referencing is not there any more is not important ?

Validating resolvers will drop an RRSIG from a cache and re-fetch if the local clock has ticked past the expiration timer specified in the corresponding RRSIG RDATA field. Non-validating resolvers don't have to care.

RFC 4033

8.1.  TTL Values vs. RRSIG Validity Period

   It is important to note the distinction between a RRset's TTL value
   and the signature validity period specified by the RRSIG RR covering
   that RRset.  DNSSEC does not change the definition or function of the
   TTL value, which is intended to maintain database coherency in
   caches.  A caching resolver purges RRsets from its cache no later
   than the end of the time period specified by the TTL fields of those
   RRsets, regardless of whether the resolver is security-aware.

   The inception and expiration fields in the RRSIG RR ([RFC4034]), on
   the other hand, specify the time period during which the signature
   can be used to validate the covered RRset.  The signatures associated
   with signed zone data are only valid for the time period specified by
   these fields in the RRSIG RRs in question.  TTL values cannot extend
   the validity period of signed RRsets in a resolver's cache, but the
   resolver may use the time remaining before expiration of the
   signature validity period of a signed RRset as an upper bound for the
   TTL of the signed RRset and its associated RRSIG RR in the resolver's
   cache.


Joe

More information about the Opendnssec-user mailing list