[dns-operations] [DNSSEC] Signature lifetime

Shane Kerr shane at isc.org
Fri Jun 25 15:18:37 UTC 2010


On Thu, 2010-06-24 at 07:53 +1000, Mark Andrews wrote:
> Signature life time should be greater than (RRset ttl + SOA expire)
> or else you will have caches handing out RRsets that do no validate.

Perhaps we should design caches that remove such RRsets, to help people
who get their timings wrong?


More information about the dns-operations mailing list