[dns-operations] medicare.gov / cms.gov DNSSEC Validation Failures

Casey Deccio casey at deccio.net
Wed Dec 29 06:22:03 UTC 2010


On Tue, Dec 28, 2010 at 8:03 PM, Richard Laager <rlaager at wiktel.com> wrote:
>
> I'm looking for a DNS contact for medicare.gov (and cms.gov). They are
> failing DNSSEC validation.
>

I've passed this along to a contact at medicare.gov/cms.gov who has
addressed similar issues in the past.

By the way, something to observe here is the dynamics of TTLs and
RRSIG lifetimes.  The TTL of the DNSKEY RRset for medicare.gov is 15
days, and the RRSIG lifetime is 4 days.  This means that even when the
RRSIGs are fresh, they have the potential of expiring in
(non-validating) cache because their TTL is excessive.  My rule of
thumb (for what it's worth) is that an RRSIG lifetime should be *at
least* twice that of the TTL (though perhaps much more).  Regardless,
RRs should be re-signed *at least* one TTL before their RRSIGs expire.

Regards,
Casey



More information about the dns-operations mailing list