Re: [dnsext] [dane] End of TTL during TLS setup
Edward Lewis <Ed.Lewis@neustar.biz> Thu, 23 February 2012 16:53 UTC
Return-Path: <dnsext-bounces@ietf.org>
X-Original-To: namedroppers-archive-gleetwall6@lists.ietf.org
Delivered-To: ietfarch-namedroppers-archive-gleetwall6@ietfa.amsl.com
Received: from ietfa.amsl.com (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 9841C21F871D; Thu, 23 Feb 2012 08:53:06 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=ietf.org; s=ietf1; t=1330015986; bh=7D0df9w63IUuGZnbdFLu3CM6r3CZibHYUx8b9Zu1GgU=; h=Mime-Version:Message-Id:In-Reply-To:References:Date:To:From:Cc: Subject:List-Id:List-Unsubscribe:List-Archive:List-Post:List-Help: List-Subscribe:Content-Transfer-Encoding:Content-Type:Sender; b=aOO9aXR2Lj1GKD1vkqNQOJ+XpDi0urqCoHXI3RXXZODHrrrAbgtPIIRv93mD7QZP6 HVy56jQFUMjHPwk1tNjbBs4Qs2TwmqJphkpsbmuP3iR4GwsbxZlDnIhDIGTqSULzc/ JJay4IKxiGOclFmzwuDGMF9pUVfOFJ/TaKNq6aZ0=
X-Original-To: dnsext@ietfa.amsl.com
Delivered-To: dnsext@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 4DB8021F871D for <dnsext@ietfa.amsl.com>; Thu, 23 Feb 2012 08:53:02 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -106.295
X-Spam-Level:
X-Spam-Status: No, score=-106.295 tagged_above=-999 required=5 tests=[AWL=0.304, BAYES_00=-2.599, RCVD_IN_DNSWL_MED=-4, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id nD-AcCiRYb2r for <dnsext@ietfa.amsl.com>; Thu, 23 Feb 2012 08:53:01 -0800 (PST)
Received: from stora.ogud.com (stora.ogud.com [66.92.146.20]) by ietfa.amsl.com (Postfix) with ESMTP id 8EB8621F86CE for <dnsext@ietf.org>; Thu, 23 Feb 2012 08:52:59 -0800 (PST)
Received: from Work-Laptop-2.local (nyttbox.md.ogud.com [10.20.30.4]) by stora.ogud.com (8.14.4/8.14.4) with ESMTP id q1NGqv7B024146; Thu, 23 Feb 2012 11:52:58 -0500 (EST) (envelope-from Ed.Lewis@neustar.biz)
Received: from [10.31.203.212] by Work-Laptop-2.local (PGP Universal service); Thu, 23 Feb 2012 11:52:58 -0500
X-PGP-Universal: processed; by Work-Laptop-2.local on Thu, 23 Feb 2012 11:52:58 -0500
Mime-Version: 1.0
Message-Id: <a06240804cb6c1cd492c6@[10.31.203.212]>
In-Reply-To: <20120221222631.C8F3F1DA58B4@drugs.dv.isc.org>
References: <20120221222631.C8F3F1DA58B4@drugs.dv.isc.org>
Date: Thu, 23 Feb 2012 11:50:24 -0500
To: dnsext@ietf.org
From: Edward Lewis <Ed.Lewis@neustar.biz>
X-Scanned-By: MIMEDefang 2.72 on 10.20.30.4
Cc: ed.lewis@neustar.biz
Subject: Re: [dnsext] [dane] End of TTL during TLS setup
X-BeenThere: dnsext@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: DNS Extensions working group discussion list <dnsext.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/dnsext>, <mailto:dnsext-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/dnsext>
List-Post: <mailto:dnsext@ietf.org>
List-Help: <mailto:dnsext-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/dnsext>, <mailto:dnsext-request@ietf.org?subject=subscribe>
Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Sender: dnsext-bounces@ietf.org
Errors-To: dnsext-bounces@ietf.org
At 9:26 +1100 2/22/12, <marka@isc.org> wrote: >------- Blind-Carbon-Copy ?, Well, I don't think this was meant to be private. >The important time is the RRSIG's expiration time of the RRSIG that >validated the RRset (i.e. you have to choose the correct one). TTL >is a cache refresh parameter. You will get TTL's of zero seconds >which means "use for this transaction" not "use within 0 seconds". > >[TTL trimming is also something that is not well specified in RFC 4035 >but that is dnsext fodder for as long as dnsext exists. Personally I >thing it is too early to shutdown dnsext as DNSSEC is just begining to >be used widely enough for specification problems to start to surface >from applications. Bcc: dnsext@ietf.org] Before using the value in any field (of any protocol) you need to know what it is there. The TTL is there to keep DNS cache contents fresh. It's an estimate of how long the authority server thinks the data will remain constant. The RRSIG expiry is the time at which the signature is no longer valid as proof of source authenticity and data integrity of the set it "covers." In addition, the time fields in RRSIG are providing a defense against replay attacks and a rudimentary means of dealing with the need to revoke cryptographic-based credentials. Neither of these address the correctness of the data, the timeliness of the data, the sequence of the data, etc. The TTL is there solely to enable the caching mechanism and the RRSIG dates are there solely to protect the DNSSEC validation process. Any other uses of those fields may engender unintended consequences. Have we ever ended a Telnet session because the A record TTL'd out? -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- Edward Lewis NeuStar You can leave a voice message at +1-571-434-5468 2012...time to reuse those 1984 calendars! _______________________________________________ dnsext mailing list dnsext@ietf.org https://www.ietf.org/mailman/listinfo/dnsext