[dns-operations] RRSIG expiry versus TTL
Wessels, Duane
dwessels at verisign.com
Tue Sep 7 14:35:59 UTC 2021
> On Sep 5, 2021, at 9:08 AM, Matthew Richardson <matthew-l at itconsult.co.uk> wrote:
>
>> the RRSIG TTL should match the NS record TTL, but ..., the validating
>> resolver does not care, and should not, about RRSIG TTL. So the
>> difference between the expiration of the rrsig and the TTL shouldn't
>> or doesn't impact the online services.
>
That may be true for validating recursive name servers, because the spec
says the validator should use the minimum of the two TTLs if they differ.
However, if there is a non-validating resolver (cache) in the resolution
path then they can be cached differently and the wrong signatures could
be returned to a client.
DW
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4208 bytes
Desc: not available
URL: <https://lists.dns-oarc.net/pipermail/dns-operations/attachments/20210907/5642a036/attachment.bin>
More information about the dns-operations
mailing list