Laurie: Improving SSL certificate security
Laurie: Improving SSL certificate security
Posted Apr 2, 2011 23:16 UTC (Sat) by Cyberax (✭ supporter ✭, #52523)In reply to: Laurie: Improving SSL certificate security by Lennie
Parent article: Laurie: Improving SSL certificate security
This is not true. DNSSEC does not rely on TTL of cache entries.
>- Almost no one has DNSSEC deployed right now, about 20% of the top-level-domains have now been signed with DNSSEC. The day before yesterday .com got signed. But not all of them allow customers to get DNSSEC-signed domains and most domain registrars don't have their processes/software in place to register/deploy DNSSEC-signed domains yet.
This is kinda true. A lot of registrars have ability to add DS records along with regular DNS glue if you want to host domains on your own server, but (almost?) nobody has a good web UI.
Posted Apr 3, 2011 1:44 UTC (Sun)
by Lennie (subscriber, #49641)
[Link] (2 responses)
DNSSEC is actually pretty complicated
I thought it was:
As the request requests them both at the same time and if available you get both as a response... I would expect:
whichever expires first determines the TTL of both
Posted Apr 3, 2011 12:10 UTC (Sun)
by Cyberax (✭ supporter ✭, #52523)
[Link] (1 responses)
Signatures can become invalid if public keys disappear from relevant DNS servers. But this has nothing to do with TTL and caches.
Posted Apr 21, 2011 12:19 UTC (Thu)
by robbe (guest, #16131)
[Link]
They do. Search RFC4034 for "signature expiration".
But Lennie's expire-within-seconds is hyperbole. Normal expiry is in hours or days. If your clock is off a few hours, you have my sympathy. Just fix it already.
Laurie: Improving SSL certificate security
if the data expired, you should send a new request to the an authoritive server
if the DNSSEC-signature expired, you should send a new request to the an authoritive server.
Laurie: Improving SSL certificate security
Laurie: Improving SSL certificate security