On 23 sep 2013, at 08:16, Jakob Schlyter <[email protected]> wrote:
>> Validating resolvers will drop an RRSIG from a cache and re-fetch if the
>> local clock has ticked past the expiration timer specified in the
>> corresponding RRSIG RDATA field.
>
> I would not "might drop", not "will drop". The specification is not strict on
> this and even though refetching may be the sane thing to do, I can imagine
> validating resolvers just returning bogus if the (expired) signature in the
> cache does not validate the associated cached data.
Unbound will cap the TTL of the resulting records to the remaining
TTL-to-expiry for that RRSIG. And then normal TTL countdown stops expired
RRSIGs from user results.
jakob
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
