[Opendnssec-user] timings and ttl

John Dickinson jad at sinodun.com
Mon Sep 23 10:06:01 UTC 2013 

On 19 Sep 2013, at 17:32, Joe Abley <jabley at hopcount.ca> wrote:

> 
> On 2013-09-19, at 12:20, Mathieu Arnold <mat at mat.cc> wrote:
> 
>> I was just wondering about the TTL of RRSIGs, say I have my ZSK rollover
>> set for every 30 days, if I add a record with a 10 weeks TTL, (yes, that's
>> a bit stupid, but, for the sake of the argument,) its RRSIG will also have
>> a 10 weeks TTL, and will still be alive in a cache somewhere long after the
>> ZSK is gone and buried.
>> 
>> So, is it a bad thing and RRSIG should not have their TTL to more than X,
>> or I'm overthinking it and we don't care because the cache would have
>> verified that the RRSIG is authentic when getting it and the fact that the
>> key it’s referencing is not there any more is not important ?
> 
> Validating resolvers will drop an RRSIG from a cache and re-fetch if the local clock has ticked past the expiration timer specified in the corresponding RRSIG RDATA field. Non-validating resolvers don't have to care.
> 
> RFC 4033
> 
> 8.1.  TTL Values vs. RRSIG Validity Period
> 
>   It is important to note the distinction between a RRset's TTL value
>   and the signature validity period specified by the RRSIG RR covering
>   that RRset.  DNSSEC does not change the definition or function of the
>   TTL value, which is intended to maintain database coherency in
>   caches.  A caching resolver purges RRsets from its cache no later
>   than the end of the time period specified by the TTL fields of those
>   RRsets, regardless of whether the resolver is security-aware.
> 
>   The inception and expiration fields in the RRSIG RR ([RFC4034]), on
>   the other hand, specify the time period during which the signature
>   can be used to validate the covered RRset.  The signatures associated
>   with signed zone data are only valid for the time period specified by
>   these fields in the RRSIG RRs in question.  TTL values cannot extend
>   the validity period of signed RRsets in a resolver's cache, but the
>   resolver may use the time remaining before expiration of the
>   signature validity period of a signed RRset as an upper bound for the
>   TTL of the signed RRset and its associated RRSIG RR in the resolver's
>   cache.
> 

There is also RFC 4035
"4.5.  Response Caching

   A security-aware resolver SHOULD cache each response as a single
   atomic entry containing the entire answer, including the named RRset
   and any associated DNSSEC RRs.  The resolver SHOULD discard the
   entire atomic entry when any of the RRs contained in it expire. ..."

John
---
jad at sinodun.com

http://sinodun.com

Sinodun Internet Technologies Ltd.
Stables 4, Suite 11,
Howbery Park,
Wallingford,
Oxfordshire,
OX10 8BA,
U.K.

+44 (0)1491 834957

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 841 bytes
Desc: Message signed with OpenPGP using GPGMail
URL: <http://lists.opendnssec.org/pipermail/opendnssec-user/attachments/20130923/ad06cc46/attachment.bin>

More information about the Opendnssec-user mailing list