[dns-operations] RRSIG expiry versus TTL
dwessels at verisign.com
Tue Sep 7 14:35:59 UTC 2021
> On Sep 5, 2021, at 9:08 AM, Matthew Richardson <matthew-l at itconsult.co.uk> wrote:
>> the RRSIG TTL should match the NS record TTL, but ..., the validating
>> resolver does not care, and should not, about RRSIG TTL. So the
>> difference between the expiration of the rrsig and the TTL shouldn't
>> or doesn't impact the online services.
That may be true for validating recursive name servers, because the spec
says the validator should use the minimum of the two TTLs if they differ.
However, if there is a non-validating resolver (cache) in the resolution
path then they can be cached differently and the wrong signatures could
be returned to a client.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 4208 bytes
Desc: not available
More information about the dns-operations