[Dnssec-deployment] Expired RRSIGs for .be
Paul Wouters
paul at xelerance.com
Fri Oct 8 17:15:11 EDT 2010
On Fri, 8 Oct 2010, Paul Hoffman wrote:
>>> Indeed. Expired signatures shouldn't be cached, and are easy to recover
>>> from. Bad signatures will long TTLs and expiry times are far more
>>> difficult to recover from.
>>
>> But you also do not want your nameserver DoS'ed when the signatures are bad, and
>> the entire world is contibiously fetching your bad data.
>
> It is not clear that "you" do not want that. A perfectly reasonable operations policy would be "they should keep asking us repeatedly until we give a secure answer, even if that means that our insecure answers will be harder to get".
>
> Let's not have a one-size-fits-all security policy for DNSSEC, eh?
You think any TLD can handle TTL=0 on expired RRSIGs without dying?
Sure, every TLD can make their own choice, but is there any TLD here that
would pick TTL=0? If so, they are alive at the mercy of the resolver's
back-off mechanism. Remember "roll over or die"?
And if even RIPE has a significant operational issue that I'm called in
the middle of the night about their servers being DOS'ed by retrying -
and considering the the tiny deployment of resolves actively using
DNSSEC we had at that time just over a year ago, TTL=0 as the default
seems very wrong.
Paul
More information about the Dnssec-deployment
mailing list