Re: [dnsext] RFC 4035 and "caching" of "expired RRSIG's"
"Marc Lampo" <marc.lampo@eurid.eu> Tue, 04 January 2011 10:44 UTC
Return-Path: <marc.lampo@eurid.eu>
X-Original-To: dnsext@core3.amsl.com
Delivered-To: dnsext@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 6AE533A6B63 for <dnsext@core3.amsl.com>; Tue, 4 Jan 2011 02:44:48 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id crvcU+i00cQc for <dnsext@core3.amsl.com>; Tue, 4 Jan 2011 02:44:47 -0800 (PST)
Received: from barra.eurid.eu (mx.eurid.eu [212.190.206.103]) by core3.amsl.com (Postfix) with ESMTP id CD1093A6B5A for <dnsext@ietf.org>; Tue, 4 Jan 2011 02:44:46 -0800 (PST)
X-ASG-Debug-ID: 1294138012-7acf1f5c0001-uIE7UK
Received: from zimbra.eurid.eu (blade2.bc2.vt.eurid.eu [172.19.101.22]) by barra.eurid.eu with ESMTP id mKIbFxisSO1DmRBo; Tue, 04 Jan 2011 11:46:52 +0100 (CET)
X-Barracuda-Envelope-From: marc.lampo@eurid.eu
X-ASG-Whitelist: Client
Received: from localhost (localhost.localdomain [127.0.0.1]) by zimbra.eurid.eu (Postfix) with ESMTP id 0DC63B0060; Tue, 4 Jan 2011 11:46:52 +0100 (CET)
X-Virus-Scanned: amavisd-new at techmail.eurid.eu
Received: from zimbra.eurid.eu ([127.0.0.1]) by localhost (zimbra.eurid.eu [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U5c85k8MYab9; Tue, 4 Jan 2011 11:46:51 +0100 (CET)
Received: from zimbra.eurid.eu (zimbra.eurid.eu [172.19.0.120]) by zimbra.eurid.eu (Postfix) with ESMTP id ECF7AB005F; Tue, 4 Jan 2011 11:46:51 +0100 (CET)
From: Marc Lampo <marc.lampo@eurid.eu>
To: 'Florian Weimer' <fweimer@bfk.de>, 'Marc Lampo' <marc.lampo@eurid.eu>
References: <000201cbabf5$0533d010$0f9b7030$@eurid.eu> <82sjx9kmqf.fsf@mid.bfk.de>
In-Reply-To: <82sjx9kmqf.fsf@mid.bfk.de>
Date: Tue, 04 Jan 2011 11:46:51 +0100
X-ASG-Orig-Subj: RE: [dnsext] RFC 4035 and "caching" of "expired RRSIG's"
Message-ID: <000c01cbabfc$b527e4f0$1f77aed0$@eurid.eu>
MIME-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: 8bit
X-Mailer: Microsoft Office Outlook 12.0
X-Mailer: Zimbra 5.0.18_GA_3011.RHEL5_64 (ZimbraConnectorForOutlook/5.0.3064.18)
Content-Language: en-za
Thread-Index: Acur9vyxoyW6mu5QSIq7pz7OUb+A6gABChtg
X-Originating-IP: [172.20.1.130]
X-Barracuda-Connect: blade2.bc2.vt.eurid.eu[172.19.101.22]
X-Barracuda-Start-Time: 1294138012
X-Barracuda-URL: http://172.20.1.190:8000/cgi-mod/mark.cgi
X-Virus-Scanned: by bsmtpd at eurid.eu
Cc: dnsext@ietf.org
Subject: Re: [dnsext] RFC 4035 and "caching" of "expired RRSIG's"
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 04 Jan 2011 10:44:48 -0000
Hello, I understand what you mean, but the RFC uses the word "expire". And that, by itself, can be interpreted in two ways : 1) the ttl counts down to 0 2) the present time is later then the "expiration date" of the (a ?) RRSIG record You indicate that this portion of the RFC handles TTL only, but the last paragraph of that section 4.5 states : "until the TTL or signatures ... expire" --> this leads to believe that it is not exclusively TTL only That possible, dual, interpretation indicates the need for clarifation, I would say. And, if the original RFC meant the TTL only, then the case of an RRSIG past expiration time (second interpretation above) is not addressed at all, is it ? Furthermore, since TTL of RRSIG RRset must be identical to the TTL of the RRset it signs, all records in the "atomic entry" should have the same TTL anyway. Though I suppose that somehow, data might arrive/be refreshed at different times, yielding different TTL values in a validating name servers cache. Kind regards, Marc -----Original Message----- From: Florian Weimer [mailto:fweimer@bfk.de] Sent: 04 January 2011 11:05 AM To: Marc Lampo Cc: dnsext@ietf.org Subject: Re: [dnsext] RFC 4035 and "caching" of "expired RRSIG's" * Marc Lampo: > Consequently : > Wouldn't it be wise to rephrase 4.5 of RFC4035 such that > "DNSSEC validation becomes impossible" > is meant ? Please clarify if you're concerned with TTLs or signature validity periods. (The quoted sections in the RFCs are strictly about TTLs, and not about cryptographic constraints.) -- Florian Weimer <fweimer@bfk.de> BFK edv-consulting GmbH http://www.bfk.de/ Kriegsstraße 100 tel: +49-721-96201-1 D-76133 Karlsruhe fax: +49-721-96201-99 Register your .eu domain name and win an iPod touch this X-Mas http://www.winwith.eu
- Re: [dnsext] RFC 4035 and "caching" of "expired R… Marc Lampo
- [dnsext] RFC 4035 and "caching" of "expired RRSIG… Marc Lampo
- Re: [dnsext] RFC 4035 and "caching" of "expired R… Florian Weimer
- Re: [dnsext] RFC 4035 and "caching" of "expired R… Florian Weimer