DNSSEC : once correct, always correct ?

Tony Finch dot at dotat.at
Wed Aug 17 14:54:08 UTC 2011

Marc Lampo <marc.lampo at eurid.eu> wrote:

> Meaning that that it actually does not re-verify,
> once data was found to be OK and allowed in the cache.

The point of a cache is to avoid network round trips to re-fetch or
re-validate data while it is in the cache. The DNS protocol tells the
cache how long the zone publisher promises that the data will be valid.
The cache can therefore store it without doing any extra work to
re-examine the data for that period of time. If you break that promise you
break the cache's assumptions.

f.anthony.n.finch  <dot at dotat.at>  http://dotat.at/
Fair Isle, Faeroes: Variable, mainly west 3 or 4. Slight or moderate. Showers,
fog patches at first. Moderate or good, occasionally very poor at first.

More information about the bind-users mailing list