[dns-operations] .mm off the air for anyone who validates

Mike Jones mike at mikejones.in
Sat Jan 19 05:18:46 UTC 2013

On 18 January 2013 16:59,  <WBrown at e1b.org> wrote:
> Chris Thompson wrote on 01/18/2013 10:06:25 AM:
>> Is fudging the expiry times like that really a good idea? If all
>> all validators allowed a 10% overrun, DNS operators would just
>> get 10% sloppier and we would back where we started.
> In some percentage of cases, that will most likely be true.  In others,
> there may be an extenuating circumstance that delays the process.
> I think this comes under "be liberal in what you accept."

It's being a bit too liberal if you accept a signature that doesn't
validate as if it was valid, I suspect (without confirming with the
authors) that the 10% fudge is probably more about clock inaccuracy
than anything else. The signatures should have been re-signed before
they expired, even if some subset of resolvers are willing to accept a
recently valid signature as being the same as a currently valid one.

If I walk in to a shop with a discount voucher that says it expired
yesterday and I argued "well it was valid yesterday" I doubt many
places would respond with "oh, well in that case it's obviously valid

If I administer a DNS zone and I know I can probably sign once per
week but occasionally it might be delayed, then I would be stupid to
only sign for 1 week at a time expecting everyone to continue to
accept my invalid signatures until I get around to fixing it. If it
could potentially take up to 6 months before you can get around to
re-signing your zone, then you should factor that in to your expiry
dates (and consider fixing whatever processes take you that long to
get a zone signed!)

- Mike

More information about the dns-operations mailing list