caching of expired RRSIG's ?
Marc Lampo
marc.lampo at eurid.eu
Mon Jan 3 09:17:24 UTC 2011
Hello group,
and my best whishes for a healthy and challenging 2011 !
Allow me to return to the issue of caching expired RRSIG's.
In RFC4035, DNSSEC protocol, in section 4 : Resolving
4.5. Response Caching
A security-aware resolver SHOULD cache each response as a single
atomic entry containing the entire answer, including the named RRset
and any associated DNSSEC RRs. The resolver SHOULD discard the
entire atomic entry when any of the RRs contained in it expire.
In a preceding paragraph on Recursive Name Servers (3.2), it reads :
The resolver side follows the usual rules for caching and negative
caching that would apply to any security-aware resolver.
--> I interpret that the discarding of an entire atomic entry
when (even at least) one RRSIG in it expire (even though others may be
still be valid)
is a recommendation (only).
If anybody disagrees with this interpretation,
and interprets it like expired RRSIG's *must* be deleted from a cache,
would you be so kind to share the reference(s) any RFC's on which you base
your interpretation.
At this moment, we continue to warn against RRSIG's that may expire while
in some cache.
(because throwing them out is "recommended" only).
And for those implementations that do follow the interpretation,
those should not cache a reply with any RRSIG already expired,
even if there are other RRSIG's that are still valid
and still allow for successful validation of the entire answer.
Thanks and kind regards,
Marc Lampo
Security Officer
EURid
Woluwelaan 150
1831 Diegem - Belgium
TEL.: +32 (0) 2 401 3030
MOB.:+32 (0)476 984 391
marc.lampo at eurid.eu
http://www.eurid.eu
Want a .eu web address in your own language? Find out how so you dont
miss out!
Register your .eu domain name and win an iPod touch this X-Mas
http://www.winwith.eu
More information about the bind-users
mailing list