Root and ARPA DNSSEC operational message - signature validity period

Wessels, Duane dwessels at verisign.com
Mon Jan 12 17:43:12 UTC 2015


DNSSEC signatures in the Root and ARPA zones were initially given a validity
period of 7 days.  The validity period is being increased to 10 days.

Both the Root and ARPA zones publish their NS RRsets with a TTL of 6 days.
A signature validity period of 7 days means that a root server instance
that is not updated within 24 hours may return NS RRset responses whose
TTL exceeds the signature validity.  This could cause problems for validating
recursive name servers that forward queries through non-validators.  A
longer signature validity provides a longer buffer in the distribution of
these zones.

Note that we are not aware of any cases where the 7 day signature validity
period has caused problems for DNSSEC validators.  This is a precautionary
measure.

As of today, the zones now have the increased validity period.  Please
feel free to contact us with concerns or questions.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 495 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://mailman.nanog.org/pipermail/nanog/attachments/20150112/afccc3ee/attachment.sig>


More information about the NANOG mailing list