IETF Logo Mail Archive

Re: [dnsext] SIG inception/expiration

Miek Gieben <miek@miek.nl> Mon, 02 January 2012 14:03 UTC

Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id D52E721F849B; Mon, 2 Jan 2012 06:03:41 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1325513021; bh=YLjNqkuVPdeVdoLNN1I7H0LCQ7kk1g6rDsGXrdb7kqA=; h=Date:From:To:Message-ID:References:MIME-Version:In-Reply-To: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Type:Sender; b=j4YSfDLJ7xRsS3216N1FOd/sA8UJCtZu2g0ujGRdRu6BKbd6LWvQjjO2t1QYABx3a IApbqJMgo9bvfBzcbj165GOgCPZU8RMEoi1AWz58eSIjFC/7niCRs/yWSilzlpvh/k RDEsJtwSVXxEfuiXVj8Q02COWCe3+enBtwf5sylc=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2209C21F849B for <dnsext@ietfa.amsl.com>; Mon, 2 Jan 2012 06:03:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.393
X-Spam-Level:
X-Spam-Status: No, score=-1.393 tagged_above=-999 required=5 tests=[AWL=1.207, BAYES_00=-2.599, NO_RELAYS=-0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id NBYJBRmQtWds for <dnsext@ietfa.amsl.com>; Mon, 2 Jan 2012 06:03:39 -0800 (PST)
Received: from elektron.atoom.net (cl-201.ede-01.nl.sixxs.net [IPv6:2001:7b8:2ff:c8::2]) by ietfa.amsl.com (Postfix) with ESMTP id A103A21F846B for <dnsext@ietf.org>; Mon, 2 Jan 2012 06:03:39 -0800 (PST)
Received: by elektron.atoom.net (Postfix, from userid 1000) id 1CF243FFFB; Mon, 2 Jan 2012 15:03:38 +0100 (CET)
Date: Mon, 02 Jan 2012 15:03:38 +0100
From: Miek Gieben <miek@miek.nl>
To: dnsext@ietf.org
Message-ID: <20120102140337.GJ12764@miek.nl>
Mail-Followup-To: dnsext@ietf.org
References: <20120102104613.GB12764@miek.nl> <20120102135227.EAA9D1AC279D@drugs.dv.isc.org>
MIME-Version: 1.0
In-Reply-To: <20120102135227.EAA9D1AC279D@drugs.dv.isc.org>
User-Agent: Vim/Mutt/Linux
X-Home: http://www.miek.nl
Subject: Re: [dnsext] SIG inception/expiration
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Type: multipart/mixed; boundary="===============0677805671646483366=="
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org

[ Quoting <marka@isc.org> at 00:52 on Jan  3 in "Re: [dnsext] SIG inc..." ]
> 
> In message <20120102104613.GB12764@miek.nl>, Miek Gieben writes:
> > Hello list,
> > 
> > A recent dnssec-deployment discussion led to the question on why the
> > expiration/inception time in the RRSIG are in the "wrong" order.
> 
> Actually the order makes lots of sense.  Expiration time is almost
> always the critical value in a signature.  Inception time is almost
> always in the past.  One could completely remove inception time
> and still have secure signatures.

But was this the original reason to change the order?

And someone, not trained in the Jedi ways of DNSSEC, will look at an RRSIG and
assume the first time stamp is the inception and the second one is expiration.

 grtz,

-- 
    Miek

_______________________________________________
dnsext mailing list
dnsext@ietf.org
https://www.ietf.org/mailman/listinfo/dnsext

v2.23.0 | Report a Bug | By Email