[Unbound-users] Expired RRSIGs, yet still "AD" flag set
wouter at NLnetLabs.nl
Thu Mar 31 06:55:44 UTC 2011
-----BEGIN PGP SIGNED MESSAGE-----
On 03/30/2011 09:52 PM, Hauke Lampe wrote:
> On 30.03.2011 14:49, W.C.A. Wijngaards wrote:
>> Actually unbound caps the TTL so it does not extend beyond the
>> expiration time. Or, it should, and there is a bug.
> I increased the maximum cache TTL from the default 1 day to 1 week.
> Could that be a factor here?
yes. But unbound should still stop the TTL at the expiration time. But
maybe the TTL was very large and the 10% skew, with the higher max-ttl,
gave a larger extra-lenience.
> # the time to live (TTL) value cap for RRsets and messages in the
> # cache. Items are not cached for longer. In seconds.
> cache-max-ttl: 604800
> In a discussion on IRC, a question came up whether "an attacker can
> tamper with TTLs on the wire and cause data to never ever expire, even
> long after their signature has expired" and have an application like
> OpenSSH still believe in the AD flag.
not for unbound, because of the max-ttl.
> I haven't quite wrapped my head around how that could work, yet. It
> seems like a lot of effort for little gain. I'm thinking of dynamic
> address records or SSHFP here. Is the original TTL in the RRSIG data
> taken into account anywhere?
Yes the TTL can not be larger than that original TTL. Unbound adjusts
it lower if so.
> I guess, I'll have to read up on some more DNSSSEC details now.
> Thanks for all the answers.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
-----END PGP SIGNATURE-----
More information about the Unbound-users