Skip to content
This repository has been archived by the owner on Jun 7, 2024. It is now read-only.

test that a RRset whose TTL values differ from RRSIG's 'Original TTL' field is rejected #62

Open
japaric opened this issue May 15, 2024 · 0 comments
Open

test that a RRset whose TTL values differ from RRSIG's 'Original TTL' field is rejected #62

japaric opened this issue May 15, 2024 · 0 comments
Labels
dnssec Conformance to DNSSEC RFCs

Comments

@japaric
Copy link
Collaborator

japaric commented May 15, 2024
edited
Loading

section 3.1.8.1 (Signature Calculation) of RFC4034 says

Each RR in the RRset MUST have the TTL listed in the RRSIG Original TTL Field

NOTE: the RFC may be referring to the TTL values written in the zone file because this requirement does not uphold in records received by a resolver / nameserver client. for example:

$ dig @1.1.1.1 +recurse +dnssec A example.com.
example.com.		3175	IN	A	93.184.215.14
example.com.		3175	IN	RRSIG	A 13 2 3600 (..)

3600 is the original TTL value but it does not match the TTL value of A record nor the TTL of the RRSIG record
@japaric japaric added the dnssec Conformance to DNSSEC RFCs label May 15, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
dnssec Conformance to DNSSEC RFCs
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@japaric