On 30.03.2011 14:49, W.C.A. Wijngaards wrote: > Actually unbound caps the TTL so it does not extend beyond the > expiration time. Or, it should, and there is a bug.
I increased the maximum cache TTL from the default 1 day to 1 week. Could that be a factor here? # the time to live (TTL) value cap for RRsets and messages in the # cache. Items are not cached for longer. In seconds. cache-max-ttl: 604800 In a discussion on IRC, a question came up whether "an attacker can tamper with TTLs on the wire and cause data to never ever expire, even long after their signature has expired" and have an application like OpenSSH still believe in the AD flag. I haven't quite wrapped my head around how that could work, yet. It seems like a lot of effort for little gain. I'm thinking of dynamic address records or SSHFP here. Is the original TTL in the RRSIG data taken into account anywhere? I guess, I'll have to read up on some more DNSSSEC details now. Thanks for all the answers. Hauke.
signature.asc
Description: OpenPGP digital signature
_______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
