In message <[email protected]>, Andrew Sullivan writes: > On Thu, Feb 06, 2014 at 04:31:38AM +0000, Viktor Dukhovni wrote: > > I must plead ignorance of the obstacle, what do you have in mind? > > I am repeatedly informed by my man pages, RFC 3493, and every web > browser implementer I've ever spoken to that getting the TTL on an RR > coming to you from the system resolver is hard. I'd be more delighted > than I can express to be misinformed, so if you know otherwise please > say so.
And I say BS. If you are using a layer above the resolver (gethostbyname, getaddrinfo) yes it may be hard but for TLSA *there is no layer above the resolver*. libresolv/libbind have provided access to the TTL since the 1980's. Even Microsoft Windows programmers don't have a excuse as DnsQuery returns the ttl in its results. http://msdn.microsoft.com/en-us/library/windows/desktop/ms682016(v=vs.85).aspx > There is a new API (more a meta-api) that Paul Hoffman worked on > (http://www.vpnc.org/getdns-api/) that I think we should all embrace > partly for the above reason, but we're not even at 0-day with that yet > AFAICT. > > > If learning DNS TTLs along with the RRset data is problematic, > > application caches should have reasonably short maximum lifetimes. > > I recognise the basic impulse in what you're saying, but it gives me > pause. Timing attacks involving DNS and the browser "pinning" policy > have always struck me as plausible (and ISTR a demonstration, but I'm > darned if I can come up with it now). But using this sort of trick > for actual certificate stuff appears to make the target of any > pinning-timing attack more valuable. Is that a problem? (That's not > a rhetorical question. I'm an idiot.) > > [I get your other argument about lifetimes. Not trying to ignore, > just accepting.] > > A > > -- > Andrew Sullivan > [email protected] > _______________________________________________ > dane mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dane -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ dane mailing list [email protected] https://www.ietf.org/mailman/listinfo/dane
