Maintained by: NLnet Labs

[Unbound-users] Expired RRSIGs, yet still "AD" flag set

Paul Wouters
Wed Mar 30 14:48:13 CEST 2011

On Wed, 30 Mar 2011, Hauke Lampe wrote:

> I have a case here where RRSIGs expired, yet Unbound still sets the "AD"
> flag in responses. The records have a TTL of 2 days, so I think the
> signatures expired while in the cache and Unbound did not revalidate
> them before handing out the answer.
> I'm not too deep into the details of all DNSSEC RFCs. Is this behaviour
> permitted by the standard or is it a bug in Unbound?

RFC4034 states:

3.1.5.  Signature Expiration and Inception Fields

    The Signature Expiration and Inception fields specify a validity
    period for the signature.  The RRSIG record MUST NOT be used for
    authentication prior to the inception date and MUST NOT be used for
    authentication after the expiration date.

I read that as: if the record is authenticated, put it in the cache and
use it until the TTL has expired.