Maintained by: NLnet Labs

[Unbound-users] Expired RRSIGs, yet still "AD" flag set

W.C.A. Wijngaards
Thu Mar 31 08:55:44 CEST 2011


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi Hauke,

On 03/30/2011 09:52 PM, Hauke Lampe wrote:
> 
> On 30.03.2011 14:49, W.C.A. Wijngaards wrote:
> 
>> Actually unbound caps the TTL so it does not extend beyond the
>> expiration time.  Or, it should, and there is a bug.
> 
> I increased the maximum cache TTL from the default 1 day to 1 week.
> Could that be a factor here?

yes.  But unbound should still stop the TTL at the expiration time.  But
maybe the TTL was very large and the 10% skew, with the higher max-ttl,
gave a larger extra-lenience.

> # the time to live (TTL) value cap for RRsets and messages in the
> # cache. Items are not cached for longer. In seconds.
> cache-max-ttl: 604800
> 
> 
> In a discussion on IRC, a question came up whether "an attacker can
> tamper with TTLs on the wire and cause data to never ever expire, even
> long after their signature has expired" and have an application like
> OpenSSH still believe in the AD flag.

not for unbound, because of the max-ttl.

> I haven't quite wrapped my head around how that could work, yet. It
> seems like a lot of effort for little gain. I'm thinking of dynamic
> address records or SSHFP here. Is the original TTL in the RRSIG data
> taken into account anywhere?

Yes the TTL can not be larger than that original TTL.  Unbound adjusts
it lower if so.

> I guess, I'll have to read up on some more DNSSSEC details now.
> 
> Thanks for all the answers.

Best regards,
   Wouter
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk2UJXAACgkQkDLqNwOhpPiXqgCdG60YUX+Ajxzhb/tg36pRDkyc
q/UAoINC12ZYpKEOwjdXMTHFwPhfemK2
=Sg+a
-----END PGP SIGNATURE-----