> From: "Marc Lampo" <marc.la...@eurid.eu> > Date: Sat, 27 Nov 2010 13:09:13 +0100 (CET) > Sender: bind-users-bounces+oberman=es....@lists.isc.org > > Hello, > > In my opinion, the following situation should be avoided, > but I'd welcome motivated second opinions. > > A DNSSEC verification script yielded a warning, this morning : > > HIDDEN : (soa = HIDDEN) (# RRSIGS : 1) (keyid : HIDDEN) > inception : 20101124231706 ok > now : 20101127083003 > expiration : 20101129231706 ok > ttl : 259200 > expiration - ttl : 20101126231706 WARNING (becomes invalid during TTL) > > In summary : > There is one (1) RRSIG available, > Which is valid now and not yet expired. > However, given the TTL, the signature will expire while still in the > cache. > > Q1: If a RRSIG is found in the cache (cache "hit"), > but it is expired. > ? should a validating caching name server "ignore" the RRSIG in the > cache > and look for a "refresh" ?
Nope. It should refuse to validate. > ? will Bind do so ? Pretty sure that it will return SERVFAIL. > Q2: Does Bind "automatic" resigning take the TTL into account ? > (so that it does not resign later then "present expiration" - "TTL") > Or is this irrelevant because the answer to earlier question > is that an expired RRSIG in the cache must be refreshed. Not sure. The RFCs contain warnings that you MUST take re-signing interval into account when setting TTL. The interval between ZSK signing must be set so that the TTL for an expiring key will always expire first so that the new key will be fetched before the old one expires. I thing the heading in the RFC is "TTL Considerations", but I am working from memory. I don't use BIND to sign my data, so I am not sure how "smart" BIND is about these numbers. -- R. Kevin Oberman, Network Engineer Energy Sciences Network (ESnet) Ernest O. Lawrence Berkeley National Laboratory (Berkeley Lab) E-mail: ober...@es.net Phone: +1 510 486-8634 Key fingerprint:059B 2DDF 031C 9BA3 14A4 EADA 927D EBB3 987B 3751 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
