Maintained by: NLnet Labs

[Unbound-users] Expired RRSIGs, yet still "AD" flag set

W.C.A. Wijngaards
Wed Mar 30 14:49:41 CEST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

On 03/30/2011 02:48 PM, Paul Wouters wrote:
> On Wed, 30 Mar 2011, Hauke Lampe wrote:
> 
>> I have a case here where RRSIGs expired, yet Unbound still sets the "AD"
>> flag in responses. The records have a TTL of 2 days, so I think the
>> signatures expired while in the cache and Unbound did not revalidate
>> them before handing out the answer.
>>
>> I'm not too deep into the details of all DNSSEC RFCs. Is this behaviour
>> permitted by the standard or is it a bug in Unbound?
> 
> RFC4034 states:
> 
> 3.1.5.  Signature Expiration and Inception Fields
> 
>    The Signature Expiration and Inception fields specify a validity
>    period for the signature.  The RRSIG record MUST NOT be used for
>    authentication prior to the inception date and MUST NOT be used for
>    authentication after the expiration date.
> 
> I read that as: if the record is authenticated, put it in the cache and
> use it until the TTL has expired.

Actually unbound caps the TTL so it does not extend beyond the
expiration time.  Or, it should, and there is a bug.  It also has clock
skew stuff (for daylight saving mistakes and timezone trouble, really).

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/

iEYEARECAAYFAk2TJuUACgkQkDLqNwOhpPjeDwCfXxQrrmHigAoHydU98iyzlohB
zDYAoK9EwI++FWh+rDeJgopPnDkVdU9V
=JvTf
-----END PGP SIGNATURE-----