caching of expired RRSIG's ?

Marc Lampo marc.lampo at
Mon Jan 3 09:35:10 UTC 2011

I agree for the consequence of those "cache misses".
But doesnot that mean that RFC4035 needs amended to state :
 "remove atomic entry if *all* its RRSIGs get invalid"
(because now it states : any = "at least one")

And it implicitly confirms that these statements in the RFC
do apply to expired RRSIG's in the cache.

Thanks and kind regards,

Marc Lampo

-----Original Message-----
From: Florian Weimer [mailto:fweimer at]
Sent: 03 January 2011 10:22 AM
To: Marc Lampo
Cc: bind-users at
Subject: Re: caching of expired RRSIG's ?

* Marc Lampo:

> If anybody disagrees with this interpretation,
>  and interprets it like expired RRSIG's *must* be deleted from a cache,
> would you be so kind to share the reference(s) any RFC's on which you
> your interpretation.

You need to cache expired RRSIGs for some time, or else every DO=1
query for the relevant record triggers a cache miss, which would be

This negative caching of DNSSEC-related failure is optional according
to the RFC, but is required as a practical matter in implementations
suitable for large-scale deployment.

Florian Weimer                <fweimer at>
BFK edv-consulting GmbH
Kriegsstraße 100              tel: +49-721-96201-1
D-76133 Karlsruhe             fax: +49-721-96201-99

Register your .eu domain name and win an iPod touch this X-Mas

More information about the bind-users mailing list