The timestamp of the DS RR or DLV RR

徐东 xudong83 at
Mon Aug 10 08:18:28 UTC 2009

  I made a test about the DS RR and DLV RR, and i found something strange: i
set the period of validity of the DS RRs or DLV RRs  to 10 minites when
signning the parent's zones, just as bellow:

*dnssec-signzone -r /dev/urandom -t -o -s 20090810153200 -e
20090810154200 -k*

And after about more than 10 minites from the starting of signature, when i
looked up a NS or A record with the dig on the recursive server, it still
returned the information back with the "ad" flag.
but the RRSIG of the DLV RR(or RRSIG of the DS RR)has expired, so i think
the bind may not check the validity of the RRSIG about the DS RR or DLV RR.
So, i want to confirm this problem.


Email:xudong83 at
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the bind-users mailing list