[dns-operations] RRSIG expiry versus TTL

Andrew Sullivan ajs at anvilwalrusden.com
Tue Sep 7 17:51:45 UTC 2021

On Mon, Sep 06, 2021 at 09:36:24AM +0200, Vladimír Čunát wrote:
>I would not advise using QTYPE=RRSIG.

Oh, neither would I!  But the claim by the provider that it can't happen is simply incorrect, and any DNS operation that depends on the principle, "Surely nobody would do _that_," is, in my experience, doomed to learn a hard lesson.

>Well, that depends on the caches.  RRSIGs do have special rules for 
>TTL handling

Only if the cache is DNSSEC-aware.  An oblivious cache will cache whatever it gets according to the values it receives.

>Also, TTL should be trimmed (by signers and validators) not to go past 
>RRSIG expiration (or original TTL).  I can't recall where this is 
>stated and how strongly.

It's in RFC 4033 section 8.1.  But of course, a cache that isn't implementing DNSSEC isn't going to implement this advice either.

Best regards,


Andrew Sullivan
ajs at anvilwalrusden.com

More information about the dns-operations mailing list