On Tue, 19 Sep 2023, Wessels, Duane wrote:
Section 4.7 of RFC 4035 talks about the “BAD cache” where an implementation can cache data with invalid signatures. It says:o Since RRsets that fail to validate do not have trustworthy TTLs, the implementation MUST assign a TTL. This TTL SHOULD be small, in order to mitigate the effect of caching the results of an attack. I would expect an implementation to treat an expired signature the same as described here, and not cache it for the full 3600 seconds in your example, but rather the TTLs we talk about in this draft, from 1-300 seconds (ideally with backoff).
Thanks for the explanation!
also known as 'lame' I thought the WG agreed the definition of 'lame' was not agreed upon and the term is no longer being favoured for use. Why not just remove this part?In this text where lame appears we are simply quoting RFC 4697.
Fair enough.
To prevent such unnecessary DNS traffic, security-aware resolvers MUST cache DNSSEC validation failures, with some restrictions. What are these "some restrictions" ?Here our intention is to update this statement from RFC 4035 so that MAY becomes MUST and "invalid signatures" becomes "validation failures while leaving the "some restrictions" in place. AFAICT the restrictions that 4035 talks about are using short TTLs (as above) and (I think) to have some query threshold for caching validation failures. i.e., retry before caching.
Should some of this make it into the document so the reader understands the "some restrictions" ? Paul _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop
