On Wed, 30 Mar 2011, Hauke Lampe wrote:
I have a case here where RRSIGs expired, yet Unbound still sets the "AD"
flag in responses. The records have a TTL of 2 days, so I think the
signatures expired while in the cache and Unbound did not revalidate
them before handing out the answer.
I'm not too deep into the details of all DNSSEC RFCs. Is this behaviour
permitted by the standard or is it a bug in Unbound?
RFC4034 states:
3.1.5. Signature Expiration and Inception Fields
The Signature Expiration and Inception fields specify a validity
period for the signature. The RRSIG record MUST NOT be used for
authentication prior to the inception date and MUST NOT be used for
authentication after the expiration date.
I read that as: if the record is authenticated, put it in the cache and
use it until the TTL has expired.
Paul
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
