Laurie: Improving SSL certificate security [LWN.net]

Laurie: Improving SSL certificate security

Posted Apr 3, 2011 1:44 UTC (Sun) by Lennie (subscriber, #49641)
In reply to: Laurie: Improving SSL certificate security by Cyberax
Parent article: Laurie: Improving SSL certificate security

> DNSSEC does not rely on TTL of cache entries

DNSSEC is actually pretty complicated

I thought it was:
if the data expired, you should send a new request to the an authoritive server
if the DNSSEC-signature expired, you should send a new request to the an authoritive server.

As the request requests them both at the same time and if available you get both as a response... I would expect:

whichever expires first determines the TTL of both

to post comments

Laurie: Improving SSL certificate security

Posted Apr 3, 2011 12:10 UTC (Sun) by Cyberax (✭ supporter ✭, #52523) [Link] (1 responses)

DNSSEC signatures can't 'expire', they just authenticate answers without any additional functionality.

Signatures can become invalid if public keys disappear from relevant DNS servers. But this has nothing to do with TTL and caches.

Laurie: Improving SSL certificate security

Posted Apr 21, 2011 12:19 UTC (Thu) by robbe (guest, #16131) [Link]

> DNSSEC signatures can't 'expire',

They do. Search RFC4034 for "signature expiration".

But Lennie's expire-within-seconds is hyperbole. Normal expiry is in hours or days. If your clock is off a few hours, you have my sympathy. Just fix it already.