Laurie: Improving SSL certificate security

Posted Apr 3, 2011 12:10 UTC (Sun) by Cyberax (✭ supporter ✭, #52523)
In reply to: Laurie: Improving SSL certificate security by Lennie
Parent article: Laurie: Improving SSL certificate security

DNSSEC signatures can't 'expire', they just authenticate answers without any additional functionality.

Signatures can become invalid if public keys disappear from relevant DNS servers. But this has nothing to do with TTL and caches.

Laurie: Improving SSL certificate security

Posted Apr 21, 2011 12:19 UTC (Thu) by robbe (guest, #16131) [Link]

> DNSSEC signatures can't 'expire',

They do. Search RFC4034 for "signature expiration".

But Lennie's expire-within-seconds is hyperbole. Normal expiry is in hours or days. If your clock is off a few hours, you have my sympathy. Just fix it already.