Re: Quic: the elephant in the room

Viktor Dukhovni <ietf-dane@dukhovni.org> Mon, 12 April 2021 16:16 UTC

Return-Path: <ietf-dane@dukhovni.org>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F35C93A2475 for <ietf@ietfa.amsl.com>; Mon, 12 Apr 2021 09:16:05 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -4.2
X-Spam-Level:
X-Spam-Status: No, score=-4.2 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_MED=-2.3, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id dgB7XPOYc60P for <ietf@ietfa.amsl.com>; Mon, 12 Apr 2021 09:16:04 -0700 (PDT)
Received: from straasha.imrryr.org (straasha.imrryr.org [100.2.39.101]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E3E973A2473 for <ietf@ietf.org>; Mon, 12 Apr 2021 09:16:03 -0700 (PDT)
Received: by straasha.imrryr.org (Postfix, from userid 1001) id 22191B9BCB; Mon, 12 Apr 2021 12:16:03 -0400 (EDT)
Date: Mon, 12 Apr 2021 12:16:03 -0400
From: Viktor Dukhovni <ietf-dane@dukhovni.org>
To: ietf@ietf.org
Subject: Re: Quic: the elephant in the room
Message-ID: <YHRyQ3EQZkyGapw0@straasha.imrryr.org>
Reply-To: ietf@ietf.org
References: <CAMm+Lwhi8xwFgZJL7jod2g4urZt_f+dm0tNi+3y1osqOfch2mQ@mail.gmail.com> <3593a01f-73f4-7d03-a85b-dff64a8b070e@mtcc.com> <506A780B-9C0D-4F4A-B045-098F6152F4DB@akamai.com> <20210411195854.GL9612@localhost> <94707E61-D7D2-4494-B88C-E229C8D8F3E4@akamai.com> <20210412002634.GO9612@localhost> <31A7A397-747D-4099-A3A3-F845137022BD@akamai.com> <20210412021224.GP9612@localhost> <9F769BE5-B470-490E-9303-D3B0A494D20F@akamai.com> <20210412155404.GR9612@localhost>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20210412155404.GR9612@localhost>
Archived-At: <https://mailarchive.ietf.org/arch/msg/ietf/D-XarqeGjC4zksZExBueYmoRxA0>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ietf/>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Mon, 12 Apr 2021 16:16:06 -0000

On Mon, Apr 12, 2021 at 10:54:04AM -0500, Nico Williams wrote:

> > Sounds to me that, as I thought, they will have to sign a TLSA record
> > every five seconds.  No?
> 
> No.  TTL != notAfter.
> 
> You do not have to re-sign any RRs every N seconds just because their
> TTL is N seconds.

Indeed, RRSIGs have inception and expiration fields that typically
differ by O(30 days).  My zone has 14 day RRSIG lifetimes, and 1 hour
TTLs, but with sufficient automation, it could be lower, thus IIRC Route
53 DNSSEC has 10 hour RRSIGs (!) and the hosted zones are resigned every
few hours.

Of course one might simply also sign each query on the fly, as done
by Cloudflare.

-- 
    Viktor.