Please also note that the below test is successful with a prefetch value of 0. To me this really looks like prefetching forgets to update RRSIGs.
Thomas > On 06.07.2016, at 15:29, Thomas Sturm <t...@open.ch> wrote: > > Hi Mark, > > I may have found another (possibly related?) bug: > > I noticed that when validating a signed zone using delv by querying a local > BIND caching server (v9.10.3-P4), it sometimes suddenly alerts "no valid > RRSIG”. Indeed, when querying “dig ds mydomain +dnssec", it returns the DS > records, but no RRSIG at all. The following sequence of commands (output > simplified) makes me think this might be related to prefetch/cache expiry as > well (prefetch value 2): > > $ while true; do dig ds mydomain; sleep 1; done > ;; ANSWER SECTION: > mydomain. 3 IN DS […] > mydomain. 3 IN DS […] > mydomain. 3 IN RRSIG DS […] > > ;; ANSWER SECTION: > mydomain. 3600 IN DS […] > mydomain. 3600 IN DS […] > mydomain. 2 IN RRSIG DS […] > > ;; ANSWER SECTION: > mydomain. 3599 IN DS […] > mydomain. 3599 IN DS […] > mydomain. 1 IN RRSIG DS […] > > ;; ANSWER SECTION: > mydomain. 3598 IN DS […] > mydomain. 3598 IN DS […] > mydomain. 0 IN RRSIG DS […] > > ;; ANSWER SECTION: > mydomain. 3597 IN DS […] > mydomain. 3597 IN DS […] > > > What’s your take on this? > > Regards, > Thomas
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list bind-users mailing list bind-users@lists.isc.org https://lists.isc.org/mailman/listinfo/bind-users
