[dns-operations] medicare.gov / cms.gov DNSSEC Validation Failures

Rose, Scott W. scott.rose at nist.gov
Wed Dec 29 14:58:49 UTC 2010

medicare and cms aren't the only zones in .gov that have strange TTL values.  Usually it is in the "correct" ratio: the TTL is a fraction of the RRSIG validity period.  However, there seems to be one vendor who has hardcoded the ratio to be half, so RRSIG validity periods of 30 days results in TTL values of 15 days.


On Dec 29, 2010, at 1:22 AM, Casey Deccio wrote:

> On Tue, Dec 28, 2010 at 8:03 PM, Richard Laager <rlaager at wiktel.com> wrote:
>> I'm looking for a DNS contact for medicare.gov (and cms.gov). They are
>> failing DNSSEC validation.
> I've passed this along to a contact at medicare.gov/cms.gov who has
> addressed similar issues in the past.
> By the way, something to observe here is the dynamics of TTLs and
> RRSIG lifetimes.  The TTL of the DNSKEY RRset for medicare.gov is 15
> days, and the RRSIG lifetime is 4 days.  This means that even when the
> RRSIGs are fresh, they have the potential of expiring in
> (non-validating) cache because their TTL is excessive.  My rule of
> thumb (for what it's worth) is that an RRSIG lifetime should be *at
> least* twice that of the TTL (though perhaps much more).  Regardless,
> RRs should be re-signed *at least* one TTL before their RRSIGs expire.
> Regards,
> Casey
> _______________________________________________
> dns-operations mailing list
> dns-operations at lists.dns-oarc.net
> https://lists.dns-oarc.net/mailman/listinfo/dns-operations

Scott Rose
scottr at nist.gov
+1 301-975-8439
Google Voice: +1 571-249-3671

More information about the dns-operations mailing list