On Thu, Feb 06, 2014 at 04:31:38AM +0000, Viktor Dukhovni wrote: > I must plead ignorance of the obstacle, what do you have in mind?
I am repeatedly informed by my man pages, RFC 3493, and every web browser implementer I've ever spoken to that getting the TTL on an RR coming to you from the system resolver is hard. I'd be more delighted than I can express to be misinformed, so if you know otherwise please say so. There is a new API (more a meta-api) that Paul Hoffman worked on (http://www.vpnc.org/getdns-api/) that I think we should all embrace partly for the above reason, but we're not even at 0-day with that yet AFAICT. > If learning DNS TTLs along with the RRset data is problematic, > application caches should have reasonably short maximum lifetimes. I recognise the basic impulse in what you're saying, but it gives me pause. Timing attacks involving DNS and the browser "pinning" policy have always struck me as plausible (and ISTR a demonstration, but I'm darned if I can come up with it now). But using this sort of trick for actual certificate stuff appears to make the target of any pinning-timing attack more valuable. Is that a problem? (That's not a rhetorical question. I'm an idiot.) [I get your other argument about lifetimes. Not trying to ignore, just accepting.] A -- Andrew Sullivan a...@anvilwalrusden.com _______________________________________________ dane mailing list dane@ietf.org https://www.ietf.org/mailman/listinfo/dane
