Re: [Doh] [Ext] Does the HTTP freshness lifetime need to match the TTL?

Tony Finch <dot@dotat.at> Mon, 14 May 2018 11:15 UTC

Return-Path: <dot@dotat.at>
X-Original-To: doh@ietfa.amsl.com
Delivered-To: doh@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4166C12DA16 for <doh@ietfa.amsl.com>; Mon, 14 May 2018 04:15:41 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Q_7t2SDtc3rL for <doh@ietfa.amsl.com>; Mon, 14 May 2018 04:15:38 -0700 (PDT)
Received: from ppsw-40.csi.cam.ac.uk (ppsw-40.csi.cam.ac.uk [131.111.8.140]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id B435812DA14 for <doh@ietf.org>; Mon, 14 May 2018 04:15:38 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://help.uis.cam.ac.uk/email-scanner-virus
Received: from grey.csi.cam.ac.uk ([131.111.57.57]:38724) by ppsw-40.csi.cam.ac.uk (ppsw.cam.ac.uk [131.111.8.138]:25) with esmtps (TLSv1:ECDHE-RSA-AES256-SHA:256) id 1fIBS4-000y8R-kq (Exim 4.89_2) (return-path <dot@dotat.at>); Mon, 14 May 2018 12:15:36 +0100
Date: Mon, 14 May 2018 12:15:36 +0100
From: Tony Finch <dot@dotat.at>
To: Paul Hoffman <paul.hoffman@icann.org>
cc: Miek Gieben <miek@miek.nl>, DoH WG <doh@ietf.org>
In-Reply-To: <71E8902F-9297-45D2-80E0-064EF75D5AFE@icann.org>
Message-ID: <alpine.DEB.2.11.1805141214560.1809@grey.csi.cam.ac.uk>
References: <15A1809C-2CA3-4A3B-A5B1-279227C30223@icann.org> <3E34581E-E2DC-48B7-A4AD-6B9FDA418179@icann.org> <31900328-8813-47D3-9F89-0B863CE673B3@mnot.net> <20180508094545.itl6cvpsekzrpxs4@miek.nl> <71E8902F-9297-45D2-80E0-064EF75D5AFE@icann.org>
User-Agent: Alpine 2.11 (DEB 23 2013-08-11)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Archived-At: <https://mailarchive.ietf.org/arch/msg/doh/eHQQWckc-6EcPol1-9ns_ESf17s>
Subject: Re: [Doh] [Ext] Does the HTTP freshness lifetime need to match the TTL?
X-BeenThere: doh@ietf.org
X-Mailman-Version: 2.1.22
Precedence: list
List-Id: DNS Over HTTPS <doh.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/doh>, <mailto:doh-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/doh/>
List-Post: <mailto:doh@ietf.org>
List-Help: <mailto:doh-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/doh>, <mailto:doh-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 14 May 2018 11:15:41 -0000

Paul Hoffman <paul.hoffman@icann.org> wrote:
>
> To me, "may use the time remaining before expiration" does not sound a
> requirement, or even an expectation.

RFC 4035, section 5.3.3

   If the resolver accepts the RRset as authentic, the validator MUST
   set the TTL of the RRSIG RR and each RR in the authenticated RRset to
   a value no greater than the minimum of:

   o  the RRset's TTL as received in the response;

   o  the RRSIG RR's TTL as received in the response;

   o  the value in the RRSIG RR's Original TTL field; and

   o  the difference of the RRSIG RR's Signature Expiration time and the
      current time.

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
South Fitzroy: Northerly 4 or 5, occasionally 6 in southeast. Moderate,
occasionally rough. Rain at times. Moderate or good.