IETF Logo Mail Archive

Re: [dnsext] SIG inception/expiration

Mark Andrews <marka@isc.org> Wed, 04 January 2012 01:29 UTC

Return-Path: <marka@isc.org>
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D80EF21F8484 for <dnsext@ietfa.amsl.com>; Tue, 3 Jan 2012 17:29:49 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id V4wFMXJr7bb9 for <dnsext@ietfa.amsl.com>; Tue, 3 Jan 2012 17:29:49 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [IPv6:2001:4f8:0:2::2b]) by ietfa.amsl.com (Postfix) with ESMTP id 0E5FD21F8442 for <dnsext@ietf.org>; Tue, 3 Jan 2012 17:29:49 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "bikeshed.isc.org", Issuer "ISC CA" (verified OK)) by mx.pao1.isc.org (Postfix) with ESMTPS id DB5F3C9427; Wed, 4 Jan 2012 01:29:25 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:157:6bc5:2c94:be00]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id 8F28A216C6A; Wed, 4 Jan 2012 01:29:25 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id B19951AC80F2; Wed, 4 Jan 2012 12:29:22 +1100 (EST)
To: John Dickinson <jad@jadickinson.co.uk>
From: Mark Andrews <marka@isc.org>
References: <20120102104613.GB12764@miek.nl> <20120102135227.EAA9D1AC279D@drugs.dv.isc.org> <20120102140337.GJ12764@miek.nl> <ABDB4B83-937D-44E2-8562-4CB36266A96B@jadickinson.co.uk>
In-reply-to: Your message of "Tue, 03 Jan 2012 15:57:20 -0000." <ABDB4B83-937D-44E2-8562-4CB36266A96B@jadickinson.co.uk>
Date: Wed, 04 Jan 2012 12:29:22 +1100
Message-Id: <20120104012922.B19951AC80F2@drugs.dv.isc.org>
Cc: dnsext@ietf.org
Subject: Re: [dnsext] SIG inception/expiration
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 04 Jan 2012 01:29:50 -0000

In message <ABDB4B83-937D-44E2-8562-4CB36266A96B@jadickinson.co.uk>, John Dicki
nson writes:
> 
> On 2 Jan 2012, at 14:03, Miek Gieben wrote:
> 
> > [ Quoting <marka@isc.org> at 00:52 on Jan  3 in "Re: [dnsext] SIG inc..." ]
> >> 
> >> In message <20120102104613.GB12764@miek.nl>, Miek Gieben writes:
> >>> Hello list,
> >>> 
> >>> A recent dnssec-deployment discussion led to the question on why the
> >>> expiration/inception time in the RRSIG are in the "wrong" order.
> >> 
> >> Actually the order makes lots of sense.  Expiration time is almost
> >> always the critical value in a signature.  Inception time is almost
> >> always in the past.  One could completely remove inception time
> >> and still have secure signatures.
> > 
> > But was this the original reason to change the order?
> > 
> > And someone, not trained in the Jedi ways of DNSSEC, will look at an RRSIG 
> and
> > assume the first time stamp is the inception and the second one is expirati
> on.
> 
> That is true. I have often had to double check this order - I just remember t
> hat there is something funny with it now and always double check. 
> 
> I had always thought that, as Mark said, inception makes no difference to sec
> urity, and that perhaps there is no operational reason to use any value other
> than 0 for the inception. Setting it to zero would at least stop it standing
> out in the RRSIG. However, a quick re-read of 4034 3.1.5 reminds me that 

What I said is that it could be removed all together.  Given that it is there
it needs to be set appropriately.

>   The Signature Expiration and Inception field values specify a date
>    and time in the form of a 32-bit unsigned number of seconds elapsed
>    since 1 January 1970 00:00:00 UTC, ignoring leap seconds, in network
>    byte order.  The longest interval that can be expressed by this
>    format without wrapping is approximately 136 years.  An RRSIG RR can
>    have an Expiration field value that is numerically smaller than the
>    Inception field value if the expiration field value is near the
>    32-bit wrap-around point or if the signature is long lived.  Because
>    of this, all comparisons involving these fields MUST use "Serial
>    number arithmetic", as defined in [RFC1982].  As a direct
>    consequence, the values contained in these fields cannot refer to
>    dates more than 68 years in either the past or the future.
> 
> so I guess it does need to be set to something reasonable if you use very lon
> g validity periods or we are nearing 2106. However, it makes me wonder if the
> re is ever a reason to compare them, and if serial number arithmatic is actua
> lly meaningful here? 

Serial number arithmetic is important.

> John
> 
> 
> _______________________________________________
> dnsext mailing list
> dnsext@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsext
-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742                 INTERNET: marka@isc.org

v2.29.0 | Report a Bug | By Email | System Status