Re: [DNSOP] Can an RRSET remain valid past the expiration timestamp on its signing RRSIG?
Nick Johnson <nick@ethereum.org> Wed, 24 July 2019 21:28 UTC
Return-Path: <nick@ethereum.org>
X-Original-To: dnsop@ietfa.amsl.com
Delivered-To: dnsop@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 29D0E120372 for <dnsop@ietfa.amsl.com>; Wed, 24 Jul 2019 14:28:08 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ethereum.org
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id vcbnwBwdLVBU for <dnsop@ietfa.amsl.com>; Wed, 24 Jul 2019 14:28:05 -0700 (PDT)
Received: from mail-ot1-x32e.google.com (mail-ot1-x32e.google.com [IPv6:2607:f8b0:4864:20::32e]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 93C1C120141 for <dnsop@ietf.org>; Wed, 24 Jul 2019 14:28:05 -0700 (PDT)
Received: by mail-ot1-x32e.google.com with SMTP id q20so49350787otl.0 for <dnsop@ietf.org>; Wed, 24 Jul 2019 14:28:05 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ethereum.org; s=google; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=3X2psmZva+8AAadl8FMXXlPMtGJrDlY6iAmCawnvp3w=; b=Z3qy3uQsgung2fRmtEMbm9ZbWF7vMd3EUsuMt5P/M90LJUUZc4hdgaF4sgN52ChDMq nku3QRA2CoBN6WF2awqjk9QHkA934Ie6mqmgIPfaDVqTvIhxfT0/WFJwYNuoD2HctpHN +KdCwbGAHfYp1n2RVwuHmrOAXqPt+fjTpOJ7w=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=3X2psmZva+8AAadl8FMXXlPMtGJrDlY6iAmCawnvp3w=; b=NyaA+OIOpk+lj3O3yWfznRQasNaIrz7hwNN6oXukcL8jlf1zPC4YObAvwvv5gTWh4I OKA8EbaMic+kduaG6bmUWOwr28+nkKaucnH6m5D8cnsHQq3+knJPqY/gahZnx1GwYayE 3BemMQXf0e6yn2fiaV0xQt2Ai9JTU9hpXjEJPu3OeNgTJLT9KoHr8E6AfNrPLSzisrAV bQOvJMRkEKgR8VLjbFhAT+ohX3zTFHk/o7GwsdOOavNDwZVqgHnPMJYADriQo+zS4cXa A1QOD/J45SH8FIc2WLjtvzAC9zIU5AHlO5LaSvZoGHvtHtSOW5/K4jovBg0MXdOJGCo9 nR0A==
X-Gm-Message-State: APjAAAWi8p3Anxh3dV7OCP4pNTW6mCSAk+9usoVpx4Tax9y0kE3c//EW AlpuOZUwR9+VlFfqqYdMxZ9E2/0Mu2d2VMyRXJMkF+voZde8pA==
X-Google-Smtp-Source: APXvYqz11Dl4pI3isgROxaZg+zAvbqZFF0YArDbELh6/dpfjNFKKXbY/3Z7Y6T0WRxhAPTqqGrdqk9JGw3ObYtLI5o0=
X-Received: by 2002:a05:6830:8a:: with SMTP id a10mr33190030oto.167.1564003684933; Wed, 24 Jul 2019 14:28:04 -0700 (PDT)
MIME-Version: 1.0
References: <CAFz7pMutjXgW4m-rpBUFqy3E+HQtQsO4f-s-TxxYxtyKaJBhxg@mail.gmail.com> <38112058-ba62-0266-3d1a-676221622db0@pletterpet.nl>
In-Reply-To: <38112058-ba62-0266-3d1a-676221622db0@pletterpet.nl>
From: Nick Johnson <nick@ethereum.org>
Date: Thu, 25 Jul 2019 09:27:51 +1200
Message-ID: <CAFz7pMvPmBJ3ZS2tdK061tE2TnZzymXaiE4nrkFEa0sSRZ33RA@mail.gmail.com>
To: Matthijs Mekking <matthijs@pletterpet.nl>
Cc: dnsop WG <dnsop@ietf.org>
Content-Type: multipart/alternative; boundary="0000000000001174cd058e73fc9a"
Archived-At: <https://mailarchive.ietf.org/arch/msg/dnsop/gvjYKqBlIHBQ9QRL_ZX2NR6ZzXE>
Subject: Re: [DNSOP] Can an RRSET remain valid past the expiration timestamp on its signing RRSIG?
X-BeenThere: dnsop@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF DNSOP WG mailing list <dnsop.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsop>, <mailto:dnsop-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/dnsop/>
List-Post: <mailto:dnsop@ietf.org>
List-Help: <mailto:dnsop-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsop>, <mailto:dnsop-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Jul 2019 21:28:08 -0000
Thank you both. On Wed, Jul 24, 2019 at 6:29 PM Matthijs Mekking <matthijs@pletterpet.nl> wrote: > RFC 4035 says: > > If the resolver accepts the RRset as authentic, the validator MUST > set the TTL of the RRSIG RR and each RR in the authenticated RRset to > a value no greater than the minimum of: > > o the RRset's TTL as received in the response; > > o the RRSIG RR's TTL as received in the response; > > o the value in the RRSIG RR's Original TTL field; and > > o the difference of the RRSIG RR's Signature Expiration time and the > current time. > > That last bullet point tells that if the signature's expiration time is > smaller than the TTLs received in the response, the RRset is cached for > at most the duration until the signature expires. > > On 7/24/19 7:50 AM, Nick Johnson wrote: > > Suppose I receive a response containing an RRSET with records with > > ttl=3600, signed with an RRSIG that has an expiration timestamp 60 > > seconds from now. > > > > After validating the signature, can I cache the RRSET for 3600 seconds, > > or only for 60 seconds? If the former, and the RRSET is a DNSKEY, can I > > rely on it to validate other RRSIGs for the entire 3600 seconds? > > In your example, the RRset must be cached for at most 60 seconds. > > Best regards, > > Matthijs > > > > > > -Nick Johnson > > > > _______________________________________________ > > DNSOP mailing list > > DNSOP@ietf.org > > https://www.ietf.org/mailman/listinfo/dnsop > > > > _______________________________________________ > DNSOP mailing list > DNSOP@ietf.org > https://www.ietf.org/mailman/listinfo/dnsop >
- [DNSOP] Can an RRSET remain valid past the expira… Nick Johnson
- Re: [DNSOP] Can an RRSET remain valid past the ex… Matthijs Mekking
- Re: [DNSOP] Can an RRSET remain valid past the ex… Nick Johnson