[nsd-users] wildcard+ANY validation issue between NSD and Unbound

Miek Gieben miek at miek.nl
Fri Feb 24 19:13:48 UTC 2012


[ Quoting <wouter at NLnetLabs.nl> at 18:00 on Feb 24 in "Re: [nsd-users] wild..." ]
> An RRSIG cannot expire on its own.  If the TTL expires, then the data
> it came with has expired too.  If the expiration-date hits, well if
> the TTL is longer than expiration (and the signature is valid) then
> the TTL is reduced.  So if the RRSIG expires, then its TTL has expired
> and so has the TTL on the data :-)

Nice.

But the point I was trying to make (I think I failed there...) was that
a dump resolver still can not be sure wrt to ANY queries. If it hits
unbound it's lucky, if it hits my soon-to-be-written-Go-dns-cache it's
not so lucky.

grtz Miek
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: Digital signature
URL: <http://lists.nlnetlabs.nl/pipermail/nsd-users/attachments/20120224/7bf6f91c/attachment.bin>


More information about the nsd-users mailing list