[dns-operations] RRSIG expiry versus TTL
Andrew Sullivan
ajs at anvilwalrusden.com
Tue Sep 7 17:51:45 UTC 2021
On Mon, Sep 06, 2021 at 09:36:24AM +0200, Vladimír Čunát wrote:
>
>I would not advise using QTYPE=RRSIG.
Oh, neither would I! But the claim by the provider that it can't happen is simply incorrect, and any DNS operation that depends on the principle, "Surely nobody would do _that_," is, in my experience, doomed to learn a hard lesson.
>Well, that depends on the caches. RRSIGs do have special rules for
>TTL handling
Only if the cache is DNSSEC-aware. An oblivious cache will cache whatever it gets according to the values it receives.
>Also, TTL should be trimmed (by signers and validators) not to go past
>RRSIG expiration (or original TTL). I can't recall where this is
>stated and how strongly.
It's in RFC 4033 section 8.1. But of course, a cache that isn't implementing DNSSEC isn't going to implement this advice either.
Best regards,
A
--
Andrew Sullivan
ajs at anvilwalrusden.com
More information about the dns-operations
mailing list