caching of expired RRSIG's ?

Marc Lampo marc.lampo at
Mon Jan 3 09:17:24 UTC 2011

Hello group,
and my best whishes for a healthy and challenging 2011 !

Allow me to return to the issue of caching expired RRSIG's.
In RFC4035, DNSSEC “protocol”, in section 4 : “Resolving”
4.5.  Response Caching

   A security-aware resolver SHOULD cache each response as a single
   atomic entry containing the entire answer, including the named RRset
   and any associated DNSSEC RRs.  The resolver SHOULD discard the
   entire atomic entry when any of the RRs contained in it expire.

In a preceding paragraph on “Recursive Name Servers” (3.2), it reads :
   The resolver side follows the usual rules for caching and negative
   caching that would apply to any security-aware resolver.

--> I interpret that the discarding of an entire atomic entry
    when (even at least) one RRSIG in it expire (even though others may be
still be valid)
    is a recommendation (only).

If anybody disagrees with this interpretation,
 and interprets it like expired RRSIG's *must* be deleted from a cache,
would you be so kind to share the reference(s) any RFC's on which you base
your interpretation.

At this moment, we continue to warn against RRSIG's that may expire while
in some cache.
(because throwing them out is "recommended" only).
And for those implementations that do follow the interpretation,
 those should not cache a reply with any RRSIG already expired,
 even if there are other RRSIG's that are still valid
 and still allow for successful validation of the entire answer.

Thanks and kind regards,

Marc Lampo
Security Officer
    Woluwelaan 150    
    1831 Diegem - Belgium
    TEL.: +32 (0) 2 401 3030
    MOB.:+32 (0)476 984 391
    marc.lampo at

Want a .eu web address in your own language? Find out how so you don’t
miss out!

Register your .eu domain name and win an iPod touch this X-Mas

More information about the bind-users mailing list