DNSSEC - 1 RRSIG - expires while in cache

Kevin Oberman oberman at es.net
Sat Nov 27 17:30:53 UTC 2010 

> From: "Marc Lampo" <marc.lampo at eurid.eu>
> Date: Sat, 27 Nov 2010 13:09:13 +0100 (CET)
> Sender: bind-users-bounces+oberman=es.net at lists.isc.org
> 
> Hello,
> 
> In my opinion, the following situation should be avoided,
> but I'd welcome motivated second opinions.
> 
> A DNSSEC verification script yielded a warning, this morning :
> 
> HIDDEN : (soa = HIDDEN) (# RRSIGS : 1) (keyid : HIDDEN)
> inception        : 20101124231706 ok
> now              : 20101127083003
> expiration       : 20101129231706 ok
> ttl              : 259200
> expiration - ttl : 20101126231706 WARNING (becomes invalid during TTL)
> 
> In summary :
>  There is one (1) RRSIG available,
>  Which is valid now and not yet expired.
>  However, given the TTL, the signature will expire while still in the
> cache.
> 
> Q1: If a RRSIG is found in the cache (cache "hit"),
>     but it is expired.
>     ? should a validating caching name server "ignore" the RRSIG in the
> cache
>       and look for a "refresh" ?

Nope. It should refuse to validate.

>     ? will Bind do so ?
Pretty sure that it will return SERVFAIL.

> Q2: Does Bind "automatic" resigning take the TTL into account ?
>      (so that it does not resign later then "present expiration" - "TTL")
>     Or is this irrelevant because the answer to earlier question
>      is that an expired RRSIG in the cache must be refreshed.

Not sure. The RFCs contain warnings that you MUST take re-signing
interval into account when setting TTL. The interval between ZSK signing
must be set so that the TTL for an expiring key will always expire first
so that the new key will be fetched before the old one expires. I thing
the heading in the RFC is "TTL Considerations", but I am working from
memory. 

I don't use BIND to sign my data, so I am not sure how "smart" BIND is
about these numbers.
-- 
R. Kevin Oberman, Network Engineer
Energy Sciences Network (ESnet)
Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab)
E-mail: oberman at es.net			Phone: +1 510 486-8634
Key fingerprint:059B 2DDF 031C 9BA3 14A4  EADA 927D EBB3 987B 3751

More information about the bind-users mailing list