DNSSEC signatures in the Root and ARPA zones were initially given a validity period of 7 days. The validity period is being increased to 10 days. Both the Root and ARPA zones publish their NS RRsets with a TTL of 6 days. A signature validity period of 7 days means that a root server instance that is not updated within 24 hours may return NS RRset responses whose TTL exceeds the signature validity. This could cause problems for validating recursive name servers that forward queries through non-validators. A longer signature validity provides a longer buffer in the distribution of these zones. Note that we are not aware of any cases where the 7 day signature validity period has caused problems for DNSSEC validators. This is a precautionary measure. As of today, the zones now have the increased validity period. Please feel free to contact us with concerns or questions.