[Opendnssec-user] timings and ttl

Jakob Schlyter jakob at kirei.se
Mon Sep 23 13:02:23 UTC 2013


On 23 sep 2013, at 08:16, Jakob Schlyter <jakob at kirei.se> wrote:

>> Validating resolvers will drop an RRSIG from a cache and re-fetch if the local clock has ticked past the expiration timer specified in the corresponding RRSIG RDATA field.
> 
> I would not "might drop", not "will drop". The specification is not strict on this and even though refetching may be the sane thing to do, I can imagine validating resolvers just returning bogus if the (expired) signature in the cache does not validate the associated cached data.

Unbound will cap the TTL of the resulting records to the remaining TTL-to-expiry for that RRSIG. And then normal TTL countdown stops expired RRSIGs from user results.

	jakob




More information about the Opendnssec-user mailing list