DNS TTL of 0 and "nsec3params"
As described in Usar NSEC3 en vez de NSEC en un dominio DNSSEC con gestión de DNS dinámico, the common TTL (Time To Live (TTL)) used in NSEC3PARAMS record is Zero. This record is used in DNSSEC to provide a secure "proof of non existence" without leaking details about what names actually exist. I never fully understood why a TTL of zero is so common, but knowing in this case is not really important.
So good so far.
The problem was listening to The Ask Mr. DNS Podcast: Episode 57 [1]. There, Matt Larson and Cricket Liu talk long and deep about why using a TTL of Zero for DNS records is (almost) always a bad idea. I agree with the comments in the podcast, but the comments hit a nerve inside of me. I have always been unconfortable about not knowing WHY a TTL of Zero is used with NSEC3PARAMS and now real DNS experts [1] were saying that a TTL of Zero is bad.
[1] |
(1, 2, 3) The Ask Mr. DNS Podcast is (usually) a quite deep, insightful and (at times) funny podcast about DNS conducted by world class DNS experts Matt Larson and Cricket Liu. You can ask them DNS questions at mrdns@ask-mrdns.com. If you are lucky (they are picky), they could reply them in the podcast. |
Sorry, I needed to know. I sent a message to The Ask Mr. DNS Podcast people [1] asking for clarification and expert insight:
To: mrdns@ask-mrdns.com From: Jesus Cea <jcea@jcea.es> Subject: DNS TTL of 0 and "nsec3params" Message-ID: <b3a40e65-eb48-5c29-e1b7-d435812195ee@jcea.es> Date: Sat, 23 Feb 2019 13:51:19 +0100 Hi, guys. I am just listening to your podcast #57 about the NO NO of a TLS of zero. I wonder about "nsec3param" and BIND giving it a TTL of ZERO: https://issues.opendnssec.org/browse/OPENDNSSEC-330 Doing a "rndc signing -nsec3param 1 0 10 auto example.org" over a Dynamic updated DNSSEC domain, Bind will add a "nsec3param" register to the domain using a TTL of ZERO. I never understood why. Checking "com" domain, I see a TTL of 24 hours for NSEC3PARAM, but checking the spanish "es" I see a 0 TTL value. RFC 5155, defining NSEC3PARAM doesn't say anything about this, but the zone example shows a TTL of 3600 seconds. My questions, then: 1. What are the best practices for the TTL of NSEC3PARAM? 2. Why a TTL of zero is assigned with "rndc signing -nsec3param" in bind?. Is that a bug?. 3. Has using a TTL of 0 any kind of sensible rational? 4. What would be the bad effects of using a TTL of 0 given what is said in your podcast #57 about TTL of 0 being a "do not do it"?. 5. If a TTL of 0 is what it should be used, how this relate to what is said in your podcast #57 about a TTL of 0 being a bad practice and potentially causing problems?. 6. If a TTL of 0 is a mistake, what should be the proper value?. 7. If a TTL of 0 is a mistake, should I notify Spanish NIC about its bad configuration?. Many other domains have the same issue: FR, DE, UK, PT, GR, AT... A TTL of 0 seems to be the norm, in fact. Thanks for your podcasts. They are funny and valuable. Keep them going! Thanks for your time and attention.
After retrying a few times, I got his reply:
Subject: Re: DNS TTL of 0 and "nsec3params" (retried question) From: Matt Larson <matt@kahlerlarson.org> In-Reply-To: <8e40a936-9965-0251-a346-9b17718ae6fa@jcea.es> Date: Thu, 27 Jun 2019 09:21:26 -0400 Cc: Cricket Liu <cricket@nxdomain.com> Message-Id: <86EF1582-F9C9-4F4E-B385-BA751636C929@kahlerlarson.org> References: <8e40a936-9965-0251-a346-9b17718ae6fa@jcea.es> To: Jesus Cea <jcea@jcea.es> Hi, Jesus. The episode was running long (and we needed to get to the ball game!) and yours was the one question we couldn't get to. We'll answer it in the next episode, which like all future episodes, is "yet to be scheduled". :-) But I'm happy to answer your question here. Quoting from RFC 5155, which defines NSEC: > 4. The NSEC3PARAM Resource Record > > The NSEC3PARAM RR contains the NSEC3 parameters (hash algorithm, > flags, iterations, and salt) needed by authoritative servers to > calculate hashed owner names. The presence of an NSEC3PARAM RR at a > zone apex indicates that the specified parameters may be used by > authoritative servers to choose an appropriate set of NSEC3 RRs for > negative responses. The NSEC3PARAM RR is not used by validators or > resolvers. The last sentence is key: because the record is only used by the zone's authoritative servers and not validators or resolvers, there's never a need for the NSEC3PARAM record to be look it up and therefore it will never be cached. But because it's a record in the in the zone just like any other, you still can look it up--there's nothing stopping you--but only authoritative servers (or, strictly speaking, the zone signer) ever need the parameters stored in this record. I hope that helps, and thank you for listening to the show! Matt [...]
I needed some time to review the reply and now I understand the reasons for a TTL of Zero: NSEC3PARAMS is only used by the DNSSEC zone signer to generate the NSEC3 records for the DNS zone. Other DNS servers or DNS resolvers don't need to look up or use NSEC3PARAMS at all. Actually, any TTL value would work because nobody would cache that record for any practical use.
Maybe I could dare to say that now I fully understand DNSSEC :-).
I replied to Matt Larson and requested permission to share this conversation online:
Subject: Re: DNS TTL of 0 and "nsec3params" (retried question) To: Matt Larson <matt@kahlerlarson.org> Cc: Cricket Liu <cricket@nxdomain.com> References: <8e40a936-9965-0251-a346-9b17718ae6fa@jcea.es> <86EF1582-F9C9-4F4E-B385-BA751636C929@kahlerlarson.org> From: Jesus Cea <jcea@jcea.es> Message-ID: <d8b46e13-d1fd-3773-b08f-fbbc5beac1d0@jcea.es> Date: Tue, 20 Aug 2019 14:10:36 +0200 In-Reply-To: <86EF1582-F9C9-4F4E-B385-BA751636C929@kahlerlarson.org> Top posting because this is old but you don't need to read it again. Quoting for context, just in case you need it. On 27/6/19 15:21, Matt Larson wrote: > Hi, Jesus. > > The episode was running long (and we needed to get to the ball game!) > and yours was the one question we couldre n't get to. We'll answer it in > the next episode, which like all future episodes, is "yet to be > scheduled". :-) Matt, great answer. I understand now. Thanks a lot for your time and expertise. Keep going with the podcast, it is great. Hoping to hear from time to time about (appalling) DNSEC deployment :-). Do you mind if I post your reply online in my blog?. Full credits, link to the podcast, etc. Thanks. END OF MESSAGE. [...]
Matt Larson replied:
Subject: Re: DNS TTL of 0 and "nsec3params" (retried question) From: Matt Larson <matt@kahlerlarson.org> In-Reply-To: <d8b46e13-d1fd-3773-b08f-fbbc5beac1d0@jcea.es> Date: Tue, 20 Aug 2019 10:56:49 -0400 Cc: Cricket Liu <cricket@nxdomain.com> Message-Id: <6DE04307-DDFB-4106-B995-BE5AAE384D0C@kahlerlarson.org> References: <8e40a936-9965-0251-a346-9b17718ae6fa@jcea.es> <86EF1582-F9C9-4F4E-B385-BA751636C929@kahlerlarson.org> <d8b46e13-d1fd-3773-b08f-fbbc5beac1d0@jcea.es> To: Jesus Cea <jcea@jcea.es> Hi, Jesus. It would be a compliment if you wanted to post my reply! Please feel free to do so. Kind regards, Matt [...]