Re: [dnsext] [dane] End of TTL during TLS setup
marka@isc.org Wed, 22 February 2012 15:46 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id CF64B21F87BA; Wed, 22 Feb 2012 07:46:35 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1329925595; bh=uM8cxaSLAFLnsHsfZCl9CMf/LZtw3AEkZaj7K9Cobts=; h=Date:Message-Id:From:To:Subject:List-Id:List-Unsubscribe: List-Archive:List-Post:List-Help:List-Subscribe:MIME-Version: Content-Type:Content-Transfer-Encoding:Sender; b=iUqEFZFiYDulSbWCLyK1KUGWMJCSzh9oFjVnEx4kN84wD9N/wPswf5g8AbG08MPdC w0gb7MoVWibFHVSmYP4IdyXdU62votvrLk4B0iBD3EDMKzA1/9YBtg6MBVT9ZJYu+I 7GdbVkYHDktyX2X4KkSVZvgRuTOnG2TxdDMGBDl4=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2938121F88EA for <dnsext@ietfa.amsl.com>; Tue, 21 Feb 2012 14:26:55 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.54
X-Spam-Level:
X-Spam-Status: No, score=-2.54 tagged_above=-999 required=5 tests=[AWL=0.059, BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7yrWclvZStC5 for <dnsext@ietfa.amsl.com>; Tue, 21 Feb 2012 14:26:54 -0800 (PST)
Received: from mx.ams1.isc.org (mx.ams1.isc.org [IPv6:2001:500:60::65]) by ietfa.amsl.com (Postfix) with ESMTP id 6BAD411E809D for <dnsext@ietf.org>; Tue, 21 Feb 2012 14:26:54 -0800 (PST)
Received: from bikeshed.isc.org (bikeshed.isc.org [IPv6:2001:4f8:3:d::19]) (using TLSv1 with cipher DHE-RSA-CAMELLIA256-SHA (256/256 bits)) (Client CN "mail.isc.org", Issuer "RapidSSL CA" (not verified)) by mx.ams1.isc.org (Postfix) with ESMTPS id C517D5F98A2 for <dnsext@ietf.org>; Tue, 21 Feb 2012 22:26:38 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (unknown [IPv6:2001:470:1f00:820:3991:6a11:92e9:5d76]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by bikeshed.isc.org (Postfix) with ESMTPSA id A8918216C31 for <dnsext@ietf.org>; Tue, 21 Feb 2012 22:26:36 +0000 (UTC) (envelope-from marka@isc.org)
Received: from drugs.dv.isc.org (localhost [127.0.0.1]) by drugs.dv.isc.org (Postfix) with ESMTP id C8F3F1DA58B4 for <dnsext@ietf.org>; Wed, 22 Feb 2012 09:26:31 +1100 (EST)
Date: Wed, 22 Feb 2012 09:26:30 +1100
Message-Id: <20120221222631.C8F3F1DA58B4@drugs.dv.isc.org>
From: marka@isc.org
To: undisclosed-recipients:;
X-Mailman-Approved-At: Wed, 22 Feb 2012 07:46:34 -0800
Subject: Re: [dnsext] [dane] End of TTL during TLS setup
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
MIME-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
------- Blind-Carbon-Copy To: Andrew Sullivan <ajs@anvilwalrusden.com> Cc: dane@ietf.org From: Mark Andrews <marka@isc.org> References: <20120216215821.GQ29243@mail.yitter.info> <201202211638.q1LGcHdw003904@fs4113.wdf.sap.corp> <20120221170058.GE34608@mail.yitter.info> Subject: Re: [dane] End of TTL during TLS setup In-reply-to: Your message of "Tue, 21 Feb 2012 12:00:58 CDT." <20120221170058.GE34608@mail.yitter.info> Date: Wed, 22 Feb 2012 09:26:30 +1100 In message <20120221170058.GE34608@mail.yitter.info>, Andrew Sullivan writes: > On Tue, Feb 21, 2012 at 05:38:17PM +0100, Martin Rex wrote: > > > > To me that sounds _much_ too complicated. The TTL on a DNS record > > is not a security feature anyway, so I do not see a justification to > > treat TTLs of TLSA records any different than TTLs on other DNS > > records > > I'd actually agree with this but for the text that was already there, > which says that the negotiation has to complete before the TTL > expires. Your suggested alternative will not in some cases meet that > requirement. I presumed the WG had a reason to phrase it this way; if > not, then your suggestion is better. > > A The important time is the RRSIG's expiration time of the RRSIG that validated the RRset (i.e. you have to choose the correct one). TTL is a cache refresh parameter. You will get TTL's of zero seconds which means "use for this transaction" not "use within 0 seconds". [TTL trimming is also something that is not well specified in RFC 4035 but that is dnsext fodder for as long as dnsext exists. Personally I thing it is too early to shutdown dnsext as DNSSEC is just begining to be used widely enough for specification problems to start to surface from applications. Bcc: dnsext@ietf.org] - -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: marka@isc.org ------- End of Blind-Carbon-Copy _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext