DNSSEC - 1 RRSIG - expires while in cache

[Marc Lampo]

Hello,

In my opinion, the following situation should be avoided,
but I'd welcome motivated second opinions.

A DNSSEC verification script yielded a warning, this morning :

HIDDEN : (soa = HIDDEN) (# RRSIGS : 1) (keyid : HIDDEN)
inception        : 20101124231706 ok
now              : 20101127083003
expiration       : 20101129231706 ok
ttl              : 259200
expiration - ttl : 20101126231706 WARNING (becomes invalid during TTL)

In summary :
 There is one (1) RRSIG available,
 Which is valid now and not yet expired.
 However, given the TTL, the signature will expire while still in the
cache.

Q1: If a RRSIG is found in the cache (cache "hit"),
    but it is expired.
    ? should a validating caching name server "ignore" the RRSIG in the
cache
      and look for a "refresh" ?
    ? will Bind do so ?
Q2: Does Bind "automatic" resigning take the TTL into account ?
     (so that it does not resign later then "present expiration" - "TTL")
    Or is this irrelevant because the answer to earlier question
     is that an expired RRSIG in the cache must be refreshed.


Thanks and kind regards,


Marc Lampo
Security Officer
 
    EURid
    Woluwelaan 150    
    1831 Diegem - Belgium
    TEL.: +32 (0) 2 401 3030
    MOB.:+32 (0)476 984 391
    marc.lampo at eurid.eu
    http://www.eurid.eu
   


Want a .eu web address in your own language? Find out how so you don’t
miss out!


Register your .eu domain name and win an iPod though this X-Mas
http://www.winwith.eu