[Unbound-users] Expired RRSIGs, yet still "AD" flag set
wouter at NLnetLabs.nl
Wed Mar 30 12:49:41 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 03/30/2011 02:48 PM, Paul Wouters wrote:
> On Wed, 30 Mar 2011, Hauke Lampe wrote:
>> I have a case here where RRSIGs expired, yet Unbound still sets the "AD"
>> flag in responses. The records have a TTL of 2 days, so I think the
>> signatures expired while in the cache and Unbound did not revalidate
>> them before handing out the answer.
>> I'm not too deep into the details of all DNSSEC RFCs. Is this behaviour
>> permitted by the standard or is it a bug in Unbound?
> RFC4034 states:
> 3.1.5. Signature Expiration and Inception Fields
> The Signature Expiration and Inception fields specify a validity
> period for the signature. The RRSIG record MUST NOT be used for
> authentication prior to the inception date and MUST NOT be used for
> authentication after the expiration date.
> I read that as: if the record is authenticated, put it in the cache and
> use it until the TTL has expired.
Actually unbound caps the TTL so it does not extend beyond the
expiration time. Or, it should, and there is a bug. It also has clock
skew stuff (for daylight saving mistakes and timezone trouble, really).
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.15 (GNU/Linux)
Comment: Using GnuPG with SUSE - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Unbound-users