-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Hi Hauke,
On 03/30/2011 09:52 PM, Hauke Lampe wrote: > > On 30.03.2011 14:49, W.C.A. Wijngaards wrote: > >> Actually unbound caps the TTL so it does not extend beyond the >> expiration time. Or, it should, and there is a bug. > > I increased the maximum cache TTL from the default 1 day to 1 week. > Could that be a factor here? yes. But unbound should still stop the TTL at the expiration time. But maybe the TTL was very large and the 10% skew, with the higher max-ttl, gave a larger extra-lenience. > # the time to live (TTL) value cap for RRsets and messages in the > # cache. Items are not cached for longer. In seconds. > cache-max-ttl: 604800 > > > In a discussion on IRC, a question came up whether "an attacker can > tamper with TTLs on the wire and cause data to never ever expire, even > long after their signature has expired" and have an application like > OpenSSH still believe in the AD flag. not for unbound, because of the max-ttl. > I haven't quite wrapped my head around how that could work, yet. It > seems like a lot of effort for little gain. I'm thinking of dynamic > address records or SSHFP here. Is the original TTL in the RRSIG data > taken into account anywhere? Yes the TTL can not be larger than that original TTL. Unbound adjusts it lower if so. > I guess, I'll have to read up on some more DNSSSEC details now. > > Thanks for all the answers. Best regards, Wouter -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk2UJXAACgkQkDLqNwOhpPiXqgCdG60YUX+Ajxzhb/tg36pRDkyc q/UAoINC12ZYpKEOwjdXMTHFwPhfemK2 =Sg+a -----END PGP SIGNATURE----- _______________________________________________ Unbound-users mailing list [email protected] http://unbound.nlnetlabs.nl/mailman/listinfo/unbound-users
