--- Begin Message ---
> On Sep 5, 2021, at 9:08 AM, Matthew Richardson <[email protected]>
> wrote:
>
>> the RRSIG TTL should match the NS record TTL, but ..., the validating
>> resolver does not care, and should not, about RRSIG TTL. So the
>> difference between the expiration of the rrsig and the TTL shouldn't
>> or doesn't impact the online services.
>
That may be true for validating recursive name servers, because the spec
says the validator should use the minimum of the two TTLs if they differ.
However, if there is a non-validating resolver (cache) in the resolution
path then they can be cached differently and the wrong signatures could
be returned to a client.
DW
smime.p7s
Description: S/MIME cryptographic signature
--- End Message ---
_______________________________________________
dns-operations mailing list
[email protected]
https://lists.dns-oarc.net/mailman/listinfo/dns-operations
