DNSSEC signatures in the Root and ARPA zones were initially given a validity
period of 7 days. The validity period is being increased to 10 days.
Both the Root and ARPA zones publish their NS RRsets with a TTL of 6 days.
A signature validity period of 7 days means that a root server instance
that is not updated within 24 hours may return NS RRset responses whose
TTL exceeds the signature validity. This could cause problems for validating
recursive name servers that forward queries through non-validators. A
longer signature validity provides a longer buffer in the distribution of
Note that we are not aware of any cases where the 7 day signature validity
period has caused problems for DNSSEC validators. This is a precautionary
As of today, the zones now have the increased validity period. Please
feel free to contact us with concerns or questions.