DNSSEC - 1 RRSIG - expires while in cache

Marc Lampo marc.lampo at eurid.eu
Sat Nov 27 12:09:13 UTC 2010


In my opinion, the following situation should be avoided,
but I'd welcome motivated second opinions.

A DNSSEC verification script yielded a warning, this morning :

HIDDEN : (soa = HIDDEN) (# RRSIGS : 1) (keyid : HIDDEN)
inception        : 20101124231706 ok
now              : 20101127083003
expiration       : 20101129231706 ok
ttl              : 259200
expiration - ttl : 20101126231706 WARNING (becomes invalid during TTL)

In summary :
 There is one (1) RRSIG available,
 Which is valid now and not yet expired.
 However, given the TTL, the signature will expire while still in the

Q1: If a RRSIG is found in the cache (cache "hit"),
    but it is expired.
    ? should a validating caching name server "ignore" the RRSIG in the
      and look for a "refresh" ?
    ? will Bind do so ?
Q2: Does Bind "automatic" resigning take the TTL into account ?
     (so that it does not resign later then "present expiration" - "TTL")
    Or is this irrelevant because the answer to earlier question
     is that an expired RRSIG in the cache must be refreshed.

Thanks and kind regards,

Marc Lampo
Security Officer
    Woluwelaan 150    
    1831 Diegem - Belgium
    TEL.: +32 (0) 2 401 3030
    MOB.:+32 (0)476 984 391
    marc.lampo at eurid.eu

Want a .eu web address in your own language? Find out how so you don’t
miss out!

Register your .eu domain name and win an iPod though this X-Mas

More information about the bind-users mailing list