* Marc Lampo: > If anybody disagrees with this interpretation, > and interprets it like expired RRSIG's *must* be deleted from a cache, > would you be so kind to share the reference(s) any RFC's on which you base > your interpretation.
You need to cache expired RRSIGs for some time, or else every DO=1 query for the relevant record triggers a cache miss, which would be problematic. This negative caching of DNSSEC-related failure is optional according to the RFC, but is required as a practical matter in implementations suitable for large-scale deployment. -- Florian Weimer <fwei...@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
