[dns-operations] RRSIG expiry versus TTL

[Andrew Sullivan]

Hi,

On Sun, Sep 05, 2021 at 05:08:55PM +0100, Matthew Richardson wrote:
>
>>it is not possible to query rrsig it directly but only together with
>>NS, so it can not be cached on non validating resolver

This is false in multiple ways.  First, RRSIGs are in fact resource records and it _is_ possible to query for them directly:

; <<>> DiG 9.10.6 <<>> @b0.org.afilias-nst.org RRSIG org +noall +answer
; (2 servers found)
;; global options: +cmd
org.			86400	IN	RRSIG	NS 8 1 86400 20210922152219 20210901142219 39681 org. APvXBaAkNa17jErJBSw5c5gbU2TQ7EoORph+Db5Jsy8nLrSaD/WFJaVa n+3FaK70F9OORBdclvQlNuDV9M/8LyniyRgWy/4ngjH2pFySxYcmtf+n OghS6RY+ZQkBqy96lm0r8t1V3sYeavnRp4GfvIpf0COg1IAcoTxi7O/v 1bM=

Second, of course, RRSIGs are over RRsets, not just NSs.

>>the RRSIG TTL should match the NS record TTL, but ..., the validating
>>resolver does not care, and should not, about RRSIG TTL. So the
>>difference between the expiration of the rrsig and the TTL shouldn't
>>or doesn't impact the online services.

Also false.  Caches do not look at the RRTYPE to decide how to cache.  They just cache whatever comes along for the TTL.  If your RRSIG expires while it is cached, you will go bogus.  This is discussed (IMO somewhat elliptically, because there was some controversy about what the Right Thing was, IIRC, and it never really got resolved) in RFC 6781.

>Paraphrasing, they seem to be suggesting that DNSVis is reporting a
>theoretical issue would not affect resolution of names used by "online
>services".
>
>Is this correct and that there is no real world problem here?

Having seen it happen in the wild, no, it is not correct.  

Best regards,

A
-- 
Andrew Sullivan
ajs at anvilwalrusden.com