Connected: An Internet Encyclopedia
4.4 Signature Expiration, TTLs, and Validity

Up: Connected: An Internet Encyclopedia
Up: Requests For Comments
Up: RFC 2065
Up: 4. The SIG Resource Record
Prev: 4.3 Processing Responses and SIG RRs
Next: 4.5 File Representation of SIG RRs

4.4 Signature Expiration, TTLs, and Validity

4.4 Signature Expiration, TTLs, and Validity

Security aware servers must not consider SIG RRs to authenticate anything after their expiration time and not consider any RR to be authenticated after its signatures have expired. Within that constraint, servers should continue to follow DNS TTL aging. Thus authoritative servers should continue to follow the zone refresh and expire parameters and a non-authoritative server should count down the TTL and discard RRs when the TTL is zero. In addition, when RRs are transmitted in a query response, the TTL should be trimmed so that current time plus the TTL does not extend beyond the signature expiration time. Thus, in general, the TTL on an transmitted RR would be

         min(sigExpTim,max(zoneMinTTL,min(originalTTL,currentTTL)))


Next: 4.5 File Representation of SIG RRs

Connected: An Internet Encyclopedia
4.4 Signature Expiration, TTLs, and Validity