Root and ARPA DNSSEC operational message - signature validity period

["Wessels, Duane" <dwessels () verisign com>]

DNSSEC signatures in the Root and ARPA zones were initially given a validity
period of 7 days.  The validity period is being increased to 10 days.

Both the Root and ARPA zones publish their NS RRsets with a TTL of 6 days.
A signature validity period of 7 days means that a root server instance
that is not updated within 24 hours may return NS RRset responses whose
TTL exceeds the signature validity.  This could cause problems for validating
recursive name servers that forward queries through non-validators.  A
longer signature validity provides a longer buffer in the distribution of
these zones.

Note that we are not aware of any cases where the 7 day signature validity
period has caused problems for DNSSEC validators.  This is a precautionary
measure.

As of today, the zones now have the increased validity period.  Please
feel free to contact us with concerns or questions.

Attachment: signature.asc
Description: Message signed with OpenPGP using GPGMail