[dns-operations] Too long a DS lifetime
Viktor Dukhovni
ietf-dane at dukhovni.org
Thu Apr 19 21:29:20 UTC 2018
> On Apr 19, 2018, at 4:25 PM, Rubens Kuhl <rubensk at nic.br> wrote:
>
>
> I'm trying to figure out why a name (www.cnj.jus.br) is not being accepted when DNSSEC validation is turned on in Unbound. DNSViz shows no warnings; Zonemaster shows this warning:
>
> RRSIG with keytag 35131 and covering type(s) SOA expires at : Thu Mar 22 15:26:57 2068.
> RRSIG with keytag 35131 and covering type(s) SOA has a remaining validity of 1575486469 seconds, which is too long.
>
> Is there an upper bound (a) specified in RFCs or (b) adopted by Unbound ?
Perhaps the below thread is relevant:
https://unbound.nlnetlabs.nl/pipermail/unbound-users/2017-December/thread.html#5024
The comparison functions were fixed, so if this is it, a sufficiently recent unbound (1.69 or later) should fix it.
--
Viktor.
More information about the dns-operations
mailing list