[dns-operations] Too long a DS lifetime

Viktor Dukhovni ietf-dane at dukhovni.org
Thu Apr 19 21:29:20 UTC 2018

> On Apr 19, 2018, at 4:25 PM, Rubens Kuhl <rubensk at nic.br> wrote:
> I'm trying to figure out why a name (www.cnj.jus.br) is not being accepted when DNSSEC validation is turned on in Unbound. DNSViz shows no warnings; Zonemaster shows this warning:
> RRSIG with keytag 35131 and covering type(s) SOA expires at : Thu Mar 22 15:26:57 2068.
> RRSIG with keytag 35131 and covering type(s) SOA has a remaining validity of 1575486469 seconds, which is too long.
> Is there an upper bound (a) specified in RFCs or (b) adopted by Unbound ?

Perhaps the below thread is relevant:


The comparison functions were fixed, so if this is it, a sufficiently recent unbound (1.69 or later) should fix it.


More information about the dns-operations mailing list