[Unbound-users] Expired RRSIGs, yet still "AD" flag set
W.C.A. Wijngaards
wouter at NLnetLabs.nl
Wed Mar 30 12:49:41 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Hi,
On 03/30/2011 02:48 PM, Paul Wouters wrote:
> On Wed, 30 Mar 2011, Hauke Lampe wrote:
>
>> I have a case here where RRSIGs expired, yet Unbound still sets the "AD"
>> flag in responses. The records have a TTL of 2 days, so I think the
>> signatures expired while in the cache and Unbound did not revalidate
>> them before handing out the answer.
>>
>> I'm not too deep into the details of all DNSSEC RFCs. Is this behaviour
>> permitted by the standard or is it a bug in Unbound?
>
> RFC4034 states:
>
> 3.1.5. Signature Expiration and Inception Fields
>
> The Signature Expiration and Inception fields specify a validity
> period for the signature. The RRSIG record MUST NOT be used for
> authentication prior to the inception date and MUST NOT be used for
> authentication after the expiration date.
>
> I read that as: if the record is authenticated, put it in the cache and
> use it until the TTL has expired.
Actually unbound caps the TTL so it does not extend beyond the
expiration time. Or, it should, and there is a bug. It also has clock
skew stuff (for daylight saving mistakes and timezone trouble, really).
Best regards,
Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
iEYEARECAAYFAk2TJuUACgkQkDLqNwOhpPjeDwCfXxQrrmHigAoHydU98iyzlohB
zDYAoK9EwI++FWh+rDeJgopPnDkVdU9V
=JvTf
-----END PGP SIGNATURE-----
More information about the Unbound-users
mailing list