[Unbound-users] Expired RRSIGs, yet still "AD" flag set
Hauke Lampe
lampe at hauke-lampe.de
Wed Mar 30 13:33:18 UTC 2011
Paul Wouters wrote:
----- Original message -----
> RFC4034 states:
>
> 3.1.5. Signature Expiration and Inception Fields
>
> The Signature Expiration and Inception fields specify a validity
> period for the signature. The RRSIG record MUST NOT be used for
> authentication prior to the inception date and MUST NOT be used for
> authentication after the expiration date.
>
> I read that as: if the record is authenticated, put it in the cache and
> use it until the TTL has expired.
Indeed, that makes sense. The combination of AD with expired signatures is a bit counter-intuitive to me. In this case, AD doesn't say "This response *is* valid" but "it *was* valid when it got cached".
Thanks for the clarification.
Hauke.
More information about the Unbound-users
mailing list