DNSSEC : once correct, always correct ?

Tony Finch dot at dotat.at
Wed Aug 17 14:39:14 UTC 2011

Marc Lampo <marc.lampo at eurid.eu> wrote:
> Experimenting with key roll-over timing conditions, with a Bind 9.7.3
> setup, I noticed, today, that this version does not re-validate DNSSEC
> data, once something makes it into its cache.
> I wonder though, if that is correct ?

Yes. When you publish a signed zone you must be aware of the timing
constraints that surround key changes, caused by the lengths of TTLs and
the signature validity periods. Validators are allowed to assume that you
do not delete any keys while there are still signatures out there that are
within their validity periods. There is no way for a publisher to
explicitly signal a key rollover to validtors.

This is the most operationally subtle part of DNSSEC...

> If I overlooked something obvious, sorry for the interrupt (but thanks
> for sending clarifying references).


f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Humber: Northwest veering northeast, 3 or 4. Slight. Showers. Good.

More information about the bind-users mailing list