[dns-operations] RRSIG expiry versus TTL

Mark Andrews marka at isc.org
Tue Sep 7 21:14:06 UTC 2021

DNSSEC does not work through non DNSSEC aware servers.  Think about the negative answers.  Additionally the DNSSEC aware servers need to be validating for corner cases. 

There is no point in worrying about non DNSSEC aware server behaviour when it comes to caching because of the above. 

What the report is actually saying is that the re-signing isn’t happening soon enough for the zone content. 
Mark Andrews

> On 8 Sep 2021, at 00:36, Wessels, Duane <dwessels at verisign.com> wrote:
>>> On Sep 5, 2021, at 9:08 AM, Matthew Richardson <matthew-l at itconsult.co.uk> wrote:
>>> the RRSIG TTL should match the NS record TTL, but ..., the validating 
>>> resolver does not care, and should not, about RRSIG TTL. So the 
>>> difference between the expiration of the rrsig and the TTL shouldn't 
>>> or doesn't impact the online services.
> That may be true for validating recursive name servers, because the spec
> says the validator should use the minimum of the two TTLs if they differ.
> However, if there is a non-validating resolver (cache) in the resolution
> path then they can be cached differently and the wrong signatures could
> be returned to a client.
> DW

More information about the dns-operations mailing list