[GH-ISSUE #2292] test that validating resolver sets the TTL field to a value smaller than `now() - signature_expiration_time` #957

New issue

Closed

opened 2026-03-16 01:05:19 +03:00 by kerem · 0 comments

kerem commented

2026-03-16 01:05:19 +03:00

Owner

Originally created by @japaric on GitHub (Jul 8, 2024).
Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2292

Originally assigned to: @justahero on GitHub.

basically test the last bullet of the last paragraph of section 5.3.3 of RFC4035:

If the resolver accepts the RRset as authentic, the validator MUST set the TTL of the RRSIG RR and each RR in the authenticated RRset to a value no greater than the minimum of:
(..)

the difference of the RRSIG RR's Signature Expiration time and the current time.

we would need to manufacture a signature that expires relatively quickly such that the resolver picks the last bullet of the list.

this will likely use whatever mechanism is used to implement #2275
cc @justahero

Originally created by @japaric on GitHub (Jul 8, 2024). Original GitHub issue: https://github.com/hickory-dns/hickory-dns/issues/2292 Originally assigned to: @justahero on GitHub. basically test the last bullet of the last paragraph of [section 5.3.3 of RFC4035](https://datatracker.ietf.org/doc/html/rfc4035#section-5.3.3): > If the resolver accepts the RRset as authentic, the validator MUST set the TTL of the RRSIG RR and each RR in the authenticated RRset to a value no greater than the minimum of: > (..) > - the difference of the RRSIG RR's Signature Expiration time and the current time. we would need to manufacture a signature that expires relatively quickly such that the resolver picks the last bullet of the list. this will likely use whatever mechanism is used to implement #2275 cc @justahero