> On 22 Jul 2025, at 19:02, Philip Homburg <[email protected]> wrote: > > In your letter dated 22 Jul 2025 18:24:11 +0200 you wrote: >> On Tue, 22 Jul 2025, Philip Homburg wrote: >>> I'm not aware of any part of the DNSSEC standards, key rolls, operational >>> practice, etc. that leads to invalid RRSIGs. >> >> You could have TTL issues so that a DNSKEY expires before all of its >> RRSIGs, but that seems easier to fix than tag collisions. > > We have to be a bit careful how to define a bad RRSIG. > > The problematic RRSIG is one where the algorithm and key tag matches a > key in the DNSKEY RRset but the RRSIG is not a valid signature using that > key over the RRset it covers. > > RRSIGs that have an algorithm and key tag that doesn't match any key in > the DNSKEY RRset are normal (for example during a a double signature ZSK > roll). > > So if the DNSKEY RRset expires before the RRSIG then I think that would create > an issue in the second category, which is not a problem from a validation > point of view.
A DNSKEY is deemed to be "in use" as along as there is a RRSIG it has generated continues to exist in normal DNS operations. It it also “in use” as long as it is being published or could be cached. DNSSEC has lots of temporal considerations. This is just another one that needs to be accounted for. > _______________________________________________ > DNSOP mailing list -- [email protected] > To unsubscribe send an email to [email protected] -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
