On 30/03/2011 9:30 AM, Paul Wouters wrote:
On Wed, 30 Mar 2011, W.C.A. Wijngaards wrote:
I read that as: if the record is authenticated, put it in the cache and
use it until the TTL has expired.
Actually unbound caps the TTL so it does not extend beyond the
expiration time.
Interesting. Isn't that dangerous? It could cause peak loads if all
resolvers worldwide throw away the record at the exact same time...
Paul
The section to read is 5.3.3 last paragraph:
If the resolver accepts the RRset as authentic, the validator MUST
set the TTL of the RRSIG RR and each RR in the authenticated RRset to
a value no greater than the minimum of:
o the RRset's TTL as received in the response;
o the RRSIG RR's TTL as received in the response;
o the value in the RRSIG RR's Original TTL field; and
o the difference of the RRSIG RR's Signature Expiration time and the
current time.
_______________________________________________
Unbound-users mailing list
[email protected]
http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
