I agree for the consequence of those "cache misses". But doesnot that mean that RFC4035 needs amended to state : "remove atomic entry if *all* its RRSIGs get invalid" (because now it states : any = "at least one")
And it implicitly confirms that these statements in the RFC do apply to expired RRSIG's in the cache. Thanks and kind regards, Marc Lampo EURid -----Original Message----- From: Florian Weimer [mailto:fwei...@bfk.de] Sent: 03 January 2011 10:22 AM To: Marc Lampo Cc: bind-users@lists.isc.org Subject: Re: caching of expired RRSIG's ? * Marc Lampo: > If anybody disagrees with this interpretation, > and interprets it like expired RRSIG's *must* be deleted from a cache, > would you be so kind to share the reference(s) any RFC's on which you base > your interpretation. You need to cache expired RRSIGs for some time, or else every DO=1 query for the relevant record triggers a cache miss, which would be problematic. This negative caching of DNSSEC-related failure is optional according to the RFC, but is required as a practical matter in implementations suitable for large-scale deployment. -- Florian Weimer <fwei...@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 Register your .eu domain name and win an iPod touch this X-Mas http://www.winwith.eu _______________________________________________ bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
