|
|
Log in / Subscribe / Register

Laurie: Improving SSL certificate security

Laurie: Improving SSL certificate security

Posted Apr 2, 2011 23:16 UTC (Sat) by Cyberax (✭ supporter ✭, #52523)
In reply to: Laurie: Improving SSL certificate security by Lennie
Parent article: Laurie: Improving SSL certificate security

>the clock of that client needs to be in sync. SSL-certs are valid for months or some years. But DNS-records are only valid for days or hours, maybe months. Sometimes seconds.

This is not true. DNSSEC does not rely on TTL of cache entries.

>- Almost no one has DNSSEC deployed right now, about 20% of the top-level-domains have now been signed with DNSSEC. The day before yesterday .com got signed. But not all of them allow customers to get DNSSEC-signed domains and most domain registrars don't have their processes/software in place to register/deploy DNSSEC-signed domains yet.
This is kinda true. A lot of registrars have ability to add DS records along with regular DNS glue if you want to host domains on your own server, but (almost?) nobody has a good web UI.

to post comments

Laurie: Improving SSL certificate security

Posted Apr 3, 2011 1:44 UTC (Sun) by Lennie (subscriber, #49641) [Link] (2 responses)

> DNSSEC does not rely on TTL of cache entries

DNSSEC is actually pretty complicated

I thought it was:
if the data expired, you should send a new request to the an authoritive server
if the DNSSEC-signature expired, you should send a new request to the an authoritive server.

As the request requests them both at the same time and if available you get both as a response... I would expect:

whichever expires first determines the TTL of both

Laurie: Improving SSL certificate security

Posted Apr 3, 2011 12:10 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

DNSSEC signatures can't 'expire', they just authenticate answers without any additional functionality.

Signatures can become invalid if public keys disappear from relevant DNS servers. But this has nothing to do with TTL and caches.

Laurie: Improving SSL certificate security

Posted Apr 21, 2011 12:19 UTC (Thu) by robbe (guest, #16131) [Link]

> DNSSEC signatures can't 'expire',

They do. Search RFC4034 for "signature expiration".

But Lennie's expire-within-seconds is hyperbole. Normal expiry is in hours or days. If your clock is off a few hours, you have my sympathy. Just fix it already.


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds