caching of expired RRSIG's ?
Marc Lampo
marc.lampo at eurid.eu
Mon Jan 3 09:35:10 UTC 2011
I agree for the consequence of those "cache misses".
But doesnot that mean that RFC4035 needs amended to state :
"remove atomic entry if *all* its RRSIGs get invalid"
(because now it states : any = "at least one")
And it implicitly confirms that these statements in the RFC
do apply to expired RRSIG's in the cache.
Thanks and kind regards,
Marc Lampo
EURid
-----Original Message-----
From: Florian Weimer [mailto:fweimer at bfk.de]
Sent: 03 January 2011 10:22 AM
To: Marc Lampo
Cc: bind-users at lists.isc.org
Subject: Re: caching of expired RRSIG's ?
* Marc Lampo:
> If anybody disagrees with this interpretation,
> and interprets it like expired RRSIG's *must* be deleted from a cache,
> would you be so kind to share the reference(s) any RFC's on which you
base
> your interpretation.
You need to cache expired RRSIGs for some time, or else every DO=1
query for the relevant record triggers a cache miss, which would be
problematic.
This negative caching of DNSSEC-related failure is optional according
to the RFC, but is required as a practical matter in implementations
suitable for large-scale deployment.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
Register your .eu domain name and win an iPod touch this X-Mas
http://www.winwith.eu
More information about the bind-users
mailing list