caching of expired RRSIG's ?
Florian Weimer
fweimer at bfk.de
Mon Jan 3 09:22:01 UTC 2011
* Marc Lampo:
> If anybody disagrees with this interpretation,
> and interprets it like expired RRSIG's *must* be deleted from a cache,
> would you be so kind to share the reference(s) any RFC's on which you base
> your interpretation.
You need to cache expired RRSIGs for some time, or else every DO=1
query for the relevant record triggers a cache miss, which would be
problematic.
This negative caching of DNSSEC-related failure is optional according
to the RFC, but is required as a practical matter in implementations
suitable for large-scale deployment.
--
Florian Weimer <fweimer at bfk.de>
BFK edv-consulting GmbH http://www.bfk.de/
Kriegsstraße 100 tel: +49-721-96201-1
D-76133 Karlsruhe fax: +49-721-96201-99
More information about the bind-users
mailing list