Am 04.03.2013 07:37, schrieb Paul Wouters: > On Sun, 3 Mar 2013, James Cloos wrote: > >>>>>>> "RB" == Richard Barnes <[email protected]> writes: >> >> RB> So short TTLs are the only tool you have. >> >> And that really ought to be sufficient. > > Just to clarify, it is the short RRSIGs that give you the "revocation" > of removing the record from the zone, not the short TTL. If your RRSIG > is set for 60 days, a short TTL does not prevent anyone from spoofing > your old key.
Wouldn't an elapsed TTL of RRSIG as well as an elapsed TTL of TLSA trigger a question to the authoritative NS? And aren't both versions prone to replay attacks, because there is no absolute time involved? I could just record the TLSA and RRSIG records and replay them after the key is "revoked" until the signature in RRSIG is expired or the ZSK has changed. Thanks again. Christian _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
