Salz, Rich wrote: >> In MinimaLT, the current ephemeral key for the server is added to >> the DNS record fetched during the DNS lookup. These entries expire fairly >> quickly, ensuring that old keys are never used. > > Can you compare the TTL of the ephemeral key record with the > A/AAAA record TTL? Are they related? If someone can get phony > records into DNS, can they then become the real MLT server? For how long?
Admittedly I don't know anything about MLT, but your question indicates what might be a serious misunderstanding about DNSSEC. The TTL of a DNS record is *NOT* protected by DNSSEC, and can be regenerated at will by an attacker, will be regenerated by intermediate DNS server and its purpose is purely cache-management, *NOT* security. Only the "Signature Expiration" information in the RRSIG is protected by DNSSEC, and only that ensures expiry of information from DNS. https://tools.ietf.org/html/rfc4034#section-3.1 -Martin _______________________________________________ TLS mailing list TLS@ietf.org https://www.ietf.org/mailman/listinfo/tls