Hello,
In my opinion, the following situation should be avoided,
but I'd welcome motivated second opinions.
A DNSSEC verification script yielded a warning, this morning :
HIDDEN : (soa = HIDDEN) (# RRSIGS : 1) (keyid : HIDDEN)
inception : 20101124231706 ok
now : 20101127083003
expiration : 20101129231706 ok
ttl : 259200
expiration - ttl : 20101126231706 WARNING (becomes invalid during TTL)
In summary :
There is one (1) RRSIG available,
Which is valid now and not yet expired.
However, given the TTL, the signature will expire while still in the
cache.
Q1: If a RRSIG is found in the cache (cache "hit"),
but it is expired.
? should a validating caching name server "ignore" the RRSIG in the
cache
and look for a "refresh" ?
? will Bind do so ?
Q2: Does Bind "automatic" resigning take the TTL into account ?
(so that it does not resign later then "present expiration" - "TTL")
Or is this irrelevant because the answer to earlier question
is that an expired RRSIG in the cache must be refreshed.
Thanks and kind regards,
Marc Lampo
Security Officer
EURid
Woluwelaan 150
1831 Diegem - Belgium
TEL.: +32 (0) 2 401 3030
MOB.:+32 (0)476 984 391
marc.la...@eurid.eu
http://www.eurid.eu
Want a .eu web address in your own language? Find out how so you dont
miss out!
Register your .eu domain name and win an iPod though this X-Mas
http://www.winwith.eu
_______________________________________________
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
