On Mon, Sep 06, 2021 at 09:36:24AM +0200, Vladimír Čunát wrote:
I would not advise using QTYPE=RRSIG.
Oh, neither would I! But the claim by the provider that it can't happen is simply incorrect, and any DNS operation that depends on the principle, "Surely nobody would do _that_," is, in my experience, doomed to learn a hard lesson.
Well, that depends on the caches. RRSIGs do have special rules for TTL handling
Only if the cache is DNSSEC-aware. An oblivious cache will cache whatever it gets according to the values it receives.
Also, TTL should be trimmed (by signers and validators) not to go past RRSIG expiration (or original TTL). I can't recall where this is stated and how strongly.
It's in RFC 4033 section 8.1. But of course, a cache that isn't implementing DNSSEC isn't going to implement this advice either. Best regards, A -- Andrew Sullivan [email protected] _______________________________________________ dns-operations mailing list [email protected] https://lists.dns-oarc.net/mailman/listinfo/dns-operations
