[Unbound-users] Expired RRSIGs, yet still "AD" flag set
Paul Wouters
paul at xelerance.com
Wed Mar 30 12:48:13 UTC 2011
On Wed, 30 Mar 2011, Hauke Lampe wrote:
> I have a case here where RRSIGs expired, yet Unbound still sets the "AD"
> flag in responses. The records have a TTL of 2 days, so I think the
> signatures expired while in the cache and Unbound did not revalidate
> them before handing out the answer.
>
> I'm not too deep into the details of all DNSSEC RFCs. Is this behaviour
> permitted by the standard or is it a bug in Unbound?
RFC4034 states:
3.1.5. Signature Expiration and Inception Fields
The Signature Expiration and Inception fields specify a validity
period for the signature. The RRSIG record MUST NOT be used for
authentication prior to the inception date and MUST NOT be used for
authentication after the expiration date.
I read that as: if the record is authenticated, put it in the cache and
use it until the TTL has expired.
Paul
More information about the Unbound-users
mailing list