Maintained by: NLnet Labs

[Unbound-users] Expired RRSIGs, yet still "AD" flag set

Patrik Wallström
Wed Mar 30 15:48:47 CEST 2011


On Mar 30, 2011, at 3:30 PM, Paul Wouters wrote:

> On Wed, 30 Mar 2011, W.C.A. Wijngaards wrote:
> 
>>> I read that as: if the record is authenticated, put it in the cache and
>>> use it until the TTL has expired.
>> 
>> Actually unbound caps the TTL so it does not extend beyond the
>> expiration time.
> 
> Interesting. Isn't that dangerous? It could cause peak loads if all
> resolvers worldwide throw away the record at the exact same time...

Only if you have expiration times that are shorter than TTL, right? Is that common?