[dane] Question re draft -20, TLSA record expiry
Thierry Moreau <thierry.moreau@connotech.com> Tue, 01 May 2012 13:07 UTC
Return-Path: <thierry.moreau@connotech.com>
X-Original-To: dane@ietfa.amsl.com
Delivered-To: dane@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix)
with ESMTP id E7BD321F8630 for <dane@ietfa.amsl.com>;
Tue, 1 May 2012 06:07:18 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.495
X-Spam-Level:
X-Spam-Status: No, score=-0.495 tagged_above=-999 required=5
tests=[BAYES_00=-2.599, FH_RELAY_NODNS=1.451, HELO_MISMATCH_COM=0.553,
RDNS_NONE=0.1]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com
[127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ehSRrWmbviIX for
<dane@ietfa.amsl.com>; Tue, 1 May 2012 06:07:18 -0700 (PDT)
Received: from mail.connotech.com (unknown [76.10.176.241]) by ietfa.amsl.com
(Postfix) with ESMTP id 48A5C21E8707 for <dane@ietf.org>;
Tue, 1 May 2012 06:06:49 -0700 (PDT)
Received: from [192.168.1.200] (unknown [192.168.1.200]) by mail.connotech.com
(Postfix) with ESMTPA id EFE68308E6 for <dane@ietf.org>;
Tue, 1 May 2012 14:22:48 -0400 (EDT)
Message-ID: <4F9FE1BE.5010208@connotech.com>
Date: Tue, 01 May 2012 09:14:38 -0400
From: Thierry Moreau <thierry.moreau@connotech.com>
User-Agent: Thunderbird 2.0.0.17 (X11/20090608)
MIME-Version: 1.0
To: dane <dane@ietf.org>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Subject: [dane] Question re draft -20, TLSA record expiry
X-BeenThere: dane@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS-based Authentication of Named Entities <dane.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dane>,
<mailto:dane-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dane>
List-Post: <mailto:dane@ietf.org>
List-Help: <mailto:dane-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dane>,
<mailto:dane-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 01 May 2012 13:07:19 -0000
Hi, I reviewed the draft draft-ietf-dane-protocol-20. Great work! In section 5, item "Roll-over", I would be inclined to associate "expired TLSA records" with a combination of RRSIG signature expiry (an absolute time) and the original TTL field (the one data-integrity-protected by the RRSIG), not just the normal DNS TTL processing. Or maybe this extra scrutiny is implied by the DNSSEC validation function on which the "using entity" (my words) must rely anyway. Then I venture to propose the following text: "Note that the DNSSEC validation function [must/is expected to] provide a reliable TTL indication based on RRSIG fields including signature expiry and original TTL." This way it reminds the domain manager that key pair cryptoperiods are managed through the DNSSEC signature process. Thanks for the dedicated attention paid to the subtleties of DNSSEC piggybacked over the installed base of TLS server certification infrastructure! -- - Thierry Moreau CONNOTECH Experts-conseils inc. 9130 Place de Montgolfier Montreal, QC, Canada H2M 2A1 Tel. +1-514-385-5691
- [dane] Question re draft -20, TLSA record expiry Thierry Moreau