[dns-operations] Too long a DS lifetime

Rubens Kuhl rubensk at nic.br
Thu Apr 19 20:25:34 UTC 2018


I'm trying to figure out why a name (www.cnj.jus.br) is not being accepted when DNSSEC validation is turned on in Unbound. DNSViz shows no warnings; Zonemaster shows this warning:

RRSIG with keytag 35131 and covering type(s) SOA expires at : Thu Mar 22 15:26:57 2068.
RRSIG with keytag 35131 and covering type(s) SOA has a remaining validity of 1575486469 seconds, which is too long.

Is there an upper bound (a) specified in RFCs or (b) adopted by Unbound ?


Rubens




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 528 bytes
Desc: Message signed with OpenPGP
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20180419/f64b7010/attachment.sig>


More information about the dns-operations mailing list