[dns-operations] RRSIG expiry versus TTL

Matthew Richardson matthew-l at itconsult.co.uk
Sun Sep 5 16:08:55 UTC 2021


I am wondering whether those more experienced with DNSSEC could cast their
eye on an issue, which is recurring monthly (seemingly at ZSK rollover).

https://dnsviz.net/d/itconsult-dns.info/YST9pA/dnssec/

which reported errors such as:-

>RRSIG itconsult-dns.info/NS alg 13, id 4992: With a TTL of 86400 the 
>RRSIG RR can be in the cache of a non-validating resolver until 13 
>hours, 39 minutes after it expires at 2021-08-25 00:30:00+00:00.

This domain is only for monitoring and the issue (which was spotted when
resolvers were periodically returning SERVFAIL) has been reported to the
provider.  It seems that their provider is in turn doing the DNSSEC, and
that provider has asserted:-

>it is not possible to query rrsig it directly but only together with
>NS, so it can not be cached on non validating resolver

and:-

>the RRSIG TTL should match the NS record TTL, but ..., the validating 
>resolver does not care, and should not, about RRSIG TTL. So the 
>difference between the expiration of the rrsig and the TTL shouldn't 
>or doesn't impact the online services.

Paraphrasing, they seem to be suggesting that DNSVis is reporting a
theoretical issue would not affect resolution of names used by "online
services".

Is this correct and that there is no real world problem here?

Also, is there a typo in the DNSVis error message when it refers to "the
cache of a non-validating resolver"?  Does it not mean a "validating"
resolver?

Best wishes,
Matthew


More information about the dns-operations mailing list