I am wondering whether those more experienced with DNSSEC could cast their eye on an issue, which is recurring monthly (seemingly at ZSK rollover).
https://dnsviz.net/d/itconsult-dns.info/YST9pA/dnssec/ which reported errors such as:- >RRSIG itconsult-dns.info/NS alg 13, id 4992: With a TTL of 86400 the >RRSIG RR can be in the cache of a non-validating resolver until 13 >hours, 39 minutes after it expires at 2021-08-25 00:30:00+00:00. This domain is only for monitoring and the issue (which was spotted when resolvers were periodically returning SERVFAIL) has been reported to the provider. It seems that their provider is in turn doing the DNSSEC, and that provider has asserted:- >it is not possible to query rrsig it directly but only together with >NS, so it can not be cached on non validating resolver and:- >the RRSIG TTL should match the NS record TTL, but ..., the validating >resolver does not care, and should not, about RRSIG TTL. So the >difference between the expiration of the rrsig and the TTL shouldn't >or doesn't impact the online services. Paraphrasing, they seem to be suggesting that DNSVis is reporting a theoretical issue would not affect resolution of names used by "online services". Is this correct and that there is no real world problem here? Also, is there a typo in the DNSVis error message when it refers to "the cache of a non-validating resolver"? Does it not mean a "validating" resolver? Best wishes, Matthew _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
