Maintained by: NLnet Labs

[Unbound-users] Expired RRSIGs, yet still "AD" flag set

Hauke Lampe
Wed Mar 30 21:52:34 CEST 2011


On 30.03.2011 14:49, W.C.A. Wijngaards wrote:

> Actually unbound caps the TTL so it does not extend beyond the
> expiration time.  Or, it should, and there is a bug.

I increased the maximum cache TTL from the default 1 day to 1 week.
Could that be a factor here?

# the time to live (TTL) value cap for RRsets and messages in the
# cache. Items are not cached for longer. In seconds.
cache-max-ttl: 604800


In a discussion on IRC, a question came up whether "an attacker can
tamper with TTLs on the wire and cause data to never ever expire, even
long after their signature has expired" and have an application like
OpenSSH still believe in the AD flag.

I haven't quite wrapped my head around how that could work, yet. It
seems like a lot of effort for little gain. I'm thinking of dynamic
address records or SSHFP here. Is the original TTL in the RRSIG data
taken into account anywhere?

I guess, I'll have to read up on some more DNSSSEC details now.

Thanks for all the answers.


Hauke.


-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 198 bytes
Desc: OpenPGP digital signature
URL: <http://unbound.nlnetlabs.nl/pipermail/unbound-users/attachments/20110330/d95baff4/attachment.pgp>