caching of expired RRSIG's ?

Florian Weimer fweimer at
Mon Jan 3 09:22:01 UTC 2011

* Marc Lampo:

> If anybody disagrees with this interpretation,
>  and interprets it like expired RRSIG's *must* be deleted from a cache,
> would you be so kind to share the reference(s) any RFC's on which you base
> your interpretation.

You need to cache expired RRSIGs for some time, or else every DO=1
query for the relevant record triggers a cache miss, which would be

This negative caching of DNSSEC-related failure is optional according
to the RFC, but is required as a practical matter in implementations
suitable for large-scale deployment.

Florian Weimer                <fweimer at>
BFK edv-consulting GmbH
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

More information about the bind-users mailing list