Re: [DNSOP] Can an RRSET remain valid past the expiration timestamp on its signing RRSIG?
Matthijs Mekking <matthijs@pletterpet.nl> Wed, 24 July 2019 06:29 UTC
Return-Path: <matthijs@pletterpet.nl>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2FBD8120276 for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2019 23:29:19 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_NONE=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 43cjfAQ4UkpT for <dnsop@ietfa.amsl.com>; Tue, 23 Jul 2019 23:29:17 -0700 (PDT)
Received: from lb3-smtp-cloud9.xs4all.net (lb3-smtp-cloud9.xs4all.net [194.109.24.30]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id D3C8D12011D for <dnsop@ietf.org>; Tue, 23 Jul 2019 23:29:16 -0700 (PDT)
Received: from [IPv6:2001:980:4eb1:1:c9ad:f345:f26a:8955] ([IPv6:2001:980:4eb1:1:c9ad:f345:f26a:8955]) by smtp-cloud9.xs4all.net with ESMTPSA id qAlzhGDRu0QvJqAm0h8OTE; Wed, 24 Jul 2019 08:29:14 +0200
To: dnsop@ietf.org
References: <CAFz7pMutjXgW4m-rpBUFqy3E+HQtQsO4f-s-TxxYxtyKaJBhxg@mail.gmail.com>
From: Matthijs Mekking <matthijs@pletterpet.nl>
Message-ID: <38112058-ba62-0266-3d1a-676221622db0@pletterpet.nl>
Date: Wed, 24 Jul 2019 08:29:11 +0200
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.8.0
MIME-Version: 1.0
In-Reply-To: <CAFz7pMutjXgW4m-rpBUFqy3E+HQtQsO4f-s-TxxYxtyKaJBhxg@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"
Content-Language: en-US
Content-Transfer-Encoding: 7bit
X-CMAE-Envelope: MS4wfJfF4h1tHmT1mESD84e/GQx6O9PpKsB5qVZwHt2uya8FqrZfmGO0S11ZSYPoZP08Ie8RTtjFKjw9IMGQ6LS9vPT/2O7nVvIeGMgDzJSMqDw0w5F1I/hD /Iz9/KPlhoufpiG2bwOmrF9zmkbunNahA6MbDfU6rmBIMYzGfSptxLAPBxHJ7PY7prb7eOdzXF7hKua0y1JPg7BGGiCYp+9yoJoHQuErwcPchgU45AGRrqGl 2kQ1FUX5AqLDUOZIVKSrU7BH4chtWFVj/WVoy4unrcc=
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/Bi-nDq18VbMtlxmnyvOlhdEggu0>
Subject: Re: [DNSOP] Can an RRSET remain valid past the expiration timestamp on its signing RRSIG?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 06:29:19 -0000
RFC 4035 says:
If the resolver accepts the RRset as authentic, the validator MUST
set the TTL of the RRSIG RR and each RR in the authenticated RRset to
a value no greater than the minimum of:
o the RRset's TTL as received in the response;
o the RRSIG RR's TTL as received in the response;
o the value in the RRSIG RR's Original TTL field; and
o the difference of the RRSIG RR's Signature Expiration time and the
current time.
That last bullet point tells that if the signature's expiration time is
smaller than the TTLs received in the response, the RRset is cached for
at most the duration until the signature expires.
On 7/24/19 7:50 AM, Nick Johnson wrote:
> Suppose I receive a response containing an RRSET with records with
> ttl=3600, signed with an RRSIG that has an expiration timestamp 60
> seconds from now.
>
> After validating the signature, can I cache the RRSET for 3600 seconds,
> or only for 60 seconds? If the former, and the RRSET is a DNSKEY, can I
> rely on it to validate other RRSIGs for the entire 3600 seconds?
In your example, the RRset must be cached for at most 60 seconds.
Best regards,
Matthijs
>
> -Nick Johnson
>
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
>
- [DNSOP] Can an RRSET remain valid past the expira… Nick Johnson
- Re: [DNSOP] Can an RRSET remain valid past the ex… Matthijs Mekking
- Re: [DNSOP] Can an RRSET remain valid past the ex… Nick Johnson