Mark Andrews wrote: > > Martin Rex writes: > > Christian Becker wrote: > > > Comparing PKIX and DANE I regularly get asked about the certificate > > > revocation in DANE. > > > > There is no revocation in DANE. > > > > There is only expiration through RRSIG Signature Expiriation > > and invalidation through zone key roll-over. > > > > > > > > > > In that case the revocation process can only be considered > > > done when the TTL has elapsed. > > > > TTL is meaningless here. TTL's purpose is a mere guidance for caching, > > TTL does not provide any security. It is an unsigned(!!) DNS record > > attribute that an intermediary can make up at will. > > TTL is a signed field but instead being a single value it is a > range. A intermediary can change it but the receiver knows what > the range is supposed to be and can fix any attempt to set it to a > value that is out of range.
TTL is *NOT* signed. While there is an original TTL field that is signed: http://tools.ietf.org/html/rfc4034#section-3.1.4 this will not prevent any intermediary (attacker) to produce new DNS responses with TTLs less than or equal ot the original TTL field whenever necessary within the remaing RRSIG lifetime. -Martin _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
