[dns-operations] RRSIG expiry versus TTL

Wessels, Duane dwessels at verisign.com
Tue Sep 7 14:35:59 UTC 2021

> On Sep 5, 2021, at 9:08 AM, Matthew Richardson <matthew-l at itconsult.co.uk> wrote:
>> the RRSIG TTL should match the NS record TTL, but ..., the validating 
>> resolver does not care, and should not, about RRSIG TTL. So the 
>> difference between the expiration of the rrsig and the TTL shouldn't 
>> or doesn't impact the online services.

That may be true for validating recursive name servers, because the spec
says the validator should use the minimum of the two TTLs if they differ.
However, if there is a non-validating resolver (cache) in the resolution
path then they can be cached differently and the wrong signatures could
be returned to a client.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4208 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210907/5642a036/attachment.bin>

More information about the dns-operations mailing list