In message <[email protected]>, Martin Rex writes: > Mark Andrews wrote: > > > > Martin Rex writes: > > > Christian Becker wrote: > > > > Comparing PKIX and DANE I regularly get asked about the certificate > > > > revocation in DANE. > > > > > > There is no revocation in DANE. > > > > > > There is only expiration through RRSIG Signature Expiriation > > > and invalidation through zone key roll-over. > > > > > > > > > > > > > > In that case the revocation process can only be considered > > > > done when the TTL has elapsed. > > > > > > TTL is meaningless here. TTL's purpose is a mere guidance for caching, > > > TTL does not provide any security. It is an unsigned(!!) DNS record > > > attribute that an intermediary can make up at will. > > > > TTL is a signed field but instead being a single value it is a > > range. A intermediary can change it but the receiver knows what > > the range is supposed to be and can fix any attempt to set it to a > > value that is out of range. > > TTL is *NOT* signed. > > While there is an original TTL field that is signed: > http://tools.ietf.org/html/rfc4034#section-3.1.4 > > this will not prevent any intermediary (attacker) to produce > new DNS responses with TTLs less than or equal ot the original > TTL field whenever necessary within the remaing RRSIG lifetime. > > -Martin
And the sematic difference is what? When you produce a RRSIG you are saying to the world "all these TTL values are valid". It's just short hand for generating TTL+1 RRSIG covering each possible value. Mark -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
