-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi,
On 03/30/2011 02:48 PM, Paul Wouters wrote: > On Wed, 30 Mar 2011, Hauke Lampe wrote: > >> I have a case here where RRSIGs expired, yet Unbound still sets the "AD" >> flag in responses. The records have a TTL of 2 days, so I think the >> signatures expired while in the cache and Unbound did not revalidate >> them before handing out the answer. >> >> I'm not too deep into the details of all DNSSEC RFCs. Is this behaviour >> permitted by the standard or is it a bug in Unbound? > > RFC4034 states: > > 3.1.5. Signature Expiration and Inception Fields > > The Signature Expiration and Inception fields specify a validity > period for the signature. The RRSIG record MUST NOT be used for > authentication prior to the inception date and MUST NOT be used for > authentication after the expiration date. > > I read that as: if the record is authenticated, put it in the cache and > use it until the TTL has expired. Actually unbound caps the TTL so it does not extend beyond the expiration time. Or, it should, and there is a bug. It also has clock skew stuff (for daylight saving mistakes and timezone trouble, really). Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.15 (GNU/Linux) Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/ iEYEARECAAYFAk2TJuUACgkQkDLqNwOhpPjeDwCfXxQrrmHigAoHydU98iyzlohB zDYAoK9EwI++FWh+rDeJgopPnDkVdU9V =JvTf -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
