[Unbound-users] Expired RRSIGs, yet still "AD" flag set

Olafur Gudmundsson ogud at ogud.com
Thu Mar 31 09:09:21 UTC 2011

On 30/03/2011 9:30 AM, Paul Wouters wrote:
> On Wed, 30 Mar 2011, W.C.A. Wijngaards wrote:
>>> I read that as: if the record is authenticated, put it in the cache and
>>> use it until the TTL has expired.
>> Actually unbound caps the TTL so it does not extend beyond the
>> expiration time.
> Interesting. Isn't that dangerous? It could cause peak loads if all
> resolvers worldwide throw away the record at the exact same time...
> Paul

The section to read is 5.3.3 last paragraph:
    If the resolver accepts the RRset as authentic, the validator MUST
    set the TTL of the RRSIG RR and each RR in the authenticated RRset to
    a value no greater than the minimum of:

    o  the RRset's TTL as received in the response;

    o  the RRSIG RR's TTL as received in the response;

    o  the value in the RRSIG RR's Original TTL field; and

    o  the difference of the RRSIG RR's Signature Expiration time and the
       current time.

More information about the Unbound-users mailing list