On Tue, 22 Jul 2025, Philip Homburg wrote:
I'm not aware of any part of the DNSSEC standards, key rolls, operational practice, etc. that leads to invalid RRSIGs.
You could have TTL issues so that a DNSKEY expires before all of its RRSIGs, but that seems easier to fix than tag collisions.
So from a standards point of view, MUST NOT have invalid RRSIGs seems fine. Obviously things can break. In that case it is fine if a resolver returns SERVFAIL.
Regards, John Levine, [email protected], Taughannock Networks, Trumansburg NY Please consider the environment before reading this e-mail. https://jl.ly _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
