Maintained by: NLnet Labs

[Unbound-users] Expired RRSIGs, yet still "AD" flag set

Hauke Lampe
Wed Mar 30 15:33:18 CEST 2011

Paul Wouters wrote:

----- Original message -----
> RFC4034 states:
> 3.1.5.   Signature Expiration and Inception Fields
>         The Signature Expiration and Inception fields specify a validity
>         period for the signature.   The RRSIG record MUST NOT be used for
>         authentication prior to the inception date and MUST NOT be used for
>         authentication after the expiration date.
> I read that as: if the record is authenticated, put it in the cache and
> use it until the TTL has expired.

Indeed, that makes sense. The combination of AD with expired signatures is a bit counter-intuitive to me. In this case, AD doesn't say "This response *is* valid" but "it *was* valid when it got cached".

Thanks for the clarification.