Mark Andrews wrote: > > > > > TTL is *NOT* signed. > > > > While there is an original TTL field that is signed: > > http://tools.ietf.org/html/rfc4034#section-3.1.4 > > > > this will not prevent any intermediary (attacker) to produce > > new DNS responses with TTLs less than or equal ot the original > > TTL field whenever necessary within the remaing RRSIG lifetime. > > > > -Martin > > And the sematic difference is what? When you produce a RRSIG you > are saying to the world "all these TTL values are valid". It's > just short hand for generating TTL+1 RRSIG covering each possible > value.
The original question was whether TTL provides revocation. No, TTL can not possibly provide revocation (for DNSSEC protected DNS records), because it can be made up at will by an intermediary attacker. Only the RRSIG lifetime and rolling the zone key are reliable in getting rid of DNSSEC protected data that is no longer to be seen as valid. It is like that "limited to one withdrawel per day" limit on ATM cards that is implemented by an unprotected counter that is stored on the ATM card itself. The crooks with a card reader/writer can simply reset that counter on the magnetic strip after withdrawal and perform multiple withdrawels (usually on ATMs of different banks) on the same day. -Martin _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
