DNSSEC - 1 RRSIG - expires while in cache

Niobos niobos at dest-unreach.be
Sat Nov 27 19:20:33 UTC 2010

On 2010-11-27 13:09, Marc Lampo wrote:
> Q2: Does Bind "automatic" resigning take the TTL into account ?
>      (so that it does not resign later then "present expiration" - "TTL")
Depending on the configuration:

>Specifies the number of days into the future when DNSSEC signatures automatically generated as a result of dynamic updates (the section
>called "Dynamic Update") will expire. There is an optional second field which specifies how long before expiry that the signatures will be
>regenerated. If not specified, the signatures will be regenerated at 1/4 of base interval. The second field is specified in days if the base
>interval is greater than 7 days otherwise it is specified in hours. The default base interval is 30 days giving a re-signing interval of 7
>1/2 days. The maximum values are 10 years (3660 days).
>The signature inception time is unconditionally set to one hour before the current time to allow for a limited amount of clock skew.
>The sig-validity-interval should be, at least, several multiples of the SOA expire interval to allow for reasonable interaction between the
>various timer and expiry dates.

If your TTL is longer than 7.5 days, bind will NOT resign correctly
without this option.


More information about the bind-users mailing list