[Opendnssec-user] timings and ttl

Jakob Schlyter jakob at kirei.se
Mon Sep 23 06:16:01 UTC 2013


On 19 sep 2013, at 19:32, Joe Abley <jabley at hopcount.ca> wrote:

> Validating resolvers will drop an RRSIG from a cache and re-fetch if the local clock has ticked past the expiration timer specified in the corresponding RRSIG RDATA field.

I would not "might drop", not "will drop". The specification is not strict on this and even though refetching may be the sane thing to do, I can imagine validating resolvers just returning bogus if the (expired) signature in the cache does not validate the associated cached data.


	jakob




More information about the Opendnssec-user mailing list