IETF Logo Mail Archive

Re: [dnsext] SIG inception/expiration

John Dickinson <jad@jadickinson.co.uk> Tue, 03 January 2012 15:57 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D797421F8481; Tue, 3 Jan 2012 07:57:25 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1325606245; bh=3obNEUyBZ4xTT1Rh7F2g0+we2P8ytkF0uRR7UTAsAkw=; h=Mime-Version:From:In-Reply-To:Date:Message-Id:References:To: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Content-Transfer-Encoding:Sender; b=xC7dIDkgxs/IH7cGRxFqNi/57yLa0WGBMAo8GOoQlr9yDMOP7bTHhU18JwHD6VGtd Uh3i4L7rmJJ0PaHbW6MePL/SUl4vK8Bt8lydoAS+oPaDDewCaL0nBL1KQPPHyUH435 beK9QAOu23l5uD/ggRqs7u1yHdona41dWHnX6ISQ=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7E0FF21F847A for <dnsext@ietfa.amsl.com>; Tue, 3 Jan 2012 07:57:24 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.185
X-Spam-Level:
X-Spam-Status: No, score=-0.185 tagged_above=-999 required=5 tests=[BAYES_40=-0.185]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5RI7T-S75ts2 for <dnsext@ietfa.amsl.com>; Tue, 3 Jan 2012 07:57:24 -0800 (PST)
Received: from cpanelsmarthost3.zen.co.uk (cpanelsmarthost3.zen.co.uk [82.71.204.227]) by ietfa.amsl.com (Postfix) with ESMTP id D82C521F842A for <dnsext@ietf.org>; Tue, 3 Jan 2012 07:57:23 -0800 (PST)
Received: from [88.98.24.67] (helo=shcp01.hosting.zen.net.uk) by cpanelsmarthost3.zen.co.uk with esmtp (Exim 4.72) (envelope-from <jad@jadickinson.co.uk>) id 1Ri6jp-0003pR-S0 for dnsext@ietf.org; Tue, 03 Jan 2012 15:57:21 +0000
Received: from [86.12.159.228] (helo=[192.168.1.21]) by shcp01.hosting.zen.net.uk with esmtps (TLSv1:AES128-SHA:128) (Exim 4.69) (envelope-from <jad@jadickinson.co.uk>) id 1Ri6jm-0002eG-Gw for dnsext@ietf.org; Tue, 03 Jan 2012 15:57:18 +0000
Mime-Version: 1.0 (Apple Message framework v1251.1)
From: John Dickinson <jad@jadickinson.co.uk>
In-Reply-To: <20120102140337.GJ12764@miek.nl>
Date: Tue, 03 Jan 2012 15:57:20 +0000
Message-Id: <ABDB4B83-937D-44E2-8562-4CB36266A96B@jadickinson.co.uk>
References: <20120102104613.GB12764@miek.nl> <20120102135227.EAA9D1AC279D@drugs.dv.isc.org> <20120102140337.GJ12764@miek.nl>
To: dnsext@ietf.org
X-Mailer: Apple Mail (2.1251.1)
X-AntiAbuse: This header was added to track abuse, please include it with any abuse report
X-AntiAbuse: Primary Hostname - shcp01.hosting.zen.net.uk
X-AntiAbuse: Original Domain - ietf.org
X-AntiAbuse: Originator/Caller UID/GID - [47 12] / [47 12]
X-AntiAbuse: Sender Address Domain - jadickinson.co.uk
Subject: Re: [dnsext] SIG inception/expiration
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

On 2 Jan 2012, at 14:03, Miek Gieben wrote:

> [ Quoting <marka@isc.org> at 00:52 on Jan  3 in "Re: [dnsext] SIG inc..." ]
>> 
>> In message <20120102104613.GB12764@miek.nl>, Miek Gieben writes:
>>> Hello list,
>>> 
>>> A recent dnssec-deployment discussion led to the question on why the
>>> expiration/inception time in the RRSIG are in the "wrong" order.
>> 
>> Actually the order makes lots of sense.  Expiration time is almost
>> always the critical value in a signature.  Inception time is almost
>> always in the past.  One could completely remove inception time
>> and still have secure signatures.
> 
> But was this the original reason to change the order?
> 
> And someone, not trained in the Jedi ways of DNSSEC, will look at an RRSIG and
> assume the first time stamp is the inception and the second one is expiration.

That is true. I have often had to double check this order - I just remember that there is something funny with it now and always double check. 

I had always thought that, as Mark said, inception makes no difference to security, and that perhaps there is no operational reason to use any value other than 0 for the inception. Setting it to zero would at least stop it standing out in the RRSIG. However, a quick re-read of 4034 3.1.5 reminds me that 

  The Signature Expiration and Inception field values specify a date
   and time in the form of a 32-bit unsigned number of seconds elapsed
   since 1 January 1970 00:00:00 UTC, ignoring leap seconds, in network
   byte order.  The longest interval that can be expressed by this
   format without wrapping is approximately 136 years.  An RRSIG RR can
   have an Expiration field value that is numerically smaller than the
   Inception field value if the expiration field value is near the
   32-bit wrap-around point or if the signature is long lived.  Because
   of this, all comparisons involving these fields MUST use "Serial
   number arithmetic", as defined in [RFC1982].  As a direct
   consequence, the values contained in these fields cannot refer to
   dates more than 68 years in either the past or the future.

so I guess it does need to be set to something reasonable if you use very long validity periods or we are nearing 2106. However, it makes me wonder if there is ever a reason to compare them, and if serial number arithmatic is actually meaningful here? 

John


_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email