[dns-operations] RRSIG expiry versus TTL

Wessels, Duane dwessels at verisign.com
Tue Sep 7 14:35:59 UTC 2021



> On Sep 5, 2021, at 9:08 AM, Matthew Richardson <matthew-l at itconsult.co.uk> wrote:
> 
>> the RRSIG TTL should match the NS record TTL, but ..., the validating 
>> resolver does not care, and should not, about RRSIG TTL. So the 
>> difference between the expiration of the rrsig and the TTL shouldn't 
>> or doesn't impact the online services.
> 

That may be true for validating recursive name servers, because the spec
says the validator should use the minimum of the two TTLs if they differ.
However, if there is a non-validating resolver (cache) in the resolution
path then they can be cached differently and the wrong signatures could
be returned to a client.

DW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4208 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210907/5642a036/attachment.bin>


More information about the dns-operations mailing list