RFC 4033:DNS Security Introduction and Requirement...
RFC-Ref

8. Zone Considerations


   There are several differences between signed and unsigned zones.  A
   signed zone will contain additional security-related records (RRSIG,
   DNSKEY, DS, and NSEC records).  RRSIG and NSEC records may be
   generated by a signing process prior to serving the zone.  The RRSIG
   records that accompany zone data have defined inception and
   expiration times that establish a validity period for the signatures
   and the zone data the signatures cover.

8.1. TTL Values vs. RRSIG Validity Period


   It is important to note the distinction between a RRset's TTL value
   and the signature validity period specified by the RRSIG RR covering
   that RRset.  DNSSEC does not change the definition or function of the
   TTL value, which is intended to maintain database coherency in
   caches.  A caching resolver purges RRsets from its cache no later
   than the end of the time period specified by the TTL fields of those
   RRsets, regardless of whether the resolver is security-aware.

   The inception and expiration fields in the RRSIG RR ([RFC4034]), on
   the other hand, specify the time period during which the signature
   can be used to validate the covered RRset.  The signatures associated
   with signed zone data are only valid for the time period specified by
   these fields in the RRSIG RRs in question.  TTL values cannot extend
   the validity period of signed RRsets in a resolver's cache, but the
   resolver may use the time remaining before expiration of the
   signature validity period of a signed RRset as an upper bound for the
   TTL of the signed RRset and its associated RRSIG RR in the resolver's
   cache.

8.2. New Temporal Dependency Issues for Zones


   Information in a signed zone has a temporal dependency that did not
   exist in the original DNS protocol.  A signed zone requires regular
   maintenance to ensure that each RRset in the zone has a current valid
   RRSIG RR.  The signature validity period of an RRSIG RR is an
   interval during which the signature for one particular signed RRset
   can be considered valid, and the signatures of different RRsets in a
   zone may expire at different times.  Re-signing one or more RRsets in
   a zone will change one or more RRSIG RRs, which will in turn require
   incrementing the zone's SOA serial number to indicate that a zone
   change has occurred and re-signing the SOA RRset itself.  Thus,
   re-signing any RRset in a zone may also trigger DNS NOTIFY messages
   and zone transfer operations.

Google
Web
RFC-Ref
RFC-Ref.org
Frontpage
Global Index
RFC
Sister Sites
Chess-Ref.org
Law-Ref.org
InChI.info
Zvon.org