[Opendnssec-user] timings and ttl
Jakob Schlyter
jakob at kirei.se
Mon Sep 23 06:16:01 UTC 2013
On 19 sep 2013, at 19:32, Joe Abley <jabley at hopcount.ca> wrote:
> Validating resolvers will drop an RRSIG from a cache and re-fetch if the local clock has ticked past the expiration timer specified in the corresponding RRSIG RDATA field.
I would not "might drop", not "will drop". The specification is not strict on this and even though refetching may be the sane thing to do, I can imagine validating resolvers just returning bogus if the (expired) signature in the cache does not validate the associated cached data.
jakob
More information about the Opendnssec-user
mailing list