Closed Bug 1591906 Opened 5 years ago Closed 4 years ago

Do not add grace to esni records

Categories

(Core :: Networking: DNS, enhancement, P2)

Product:
Core
Component:
Networking: DNS
Type:
enhancement

Tracking

()

Status:
RESOLVED INVALID

People

(Reporter: dragana, Unassigned)

References

Details

(Whiteboard: [necko-triaged])

We should respect the TTL of the ESNI records. Extending time may cause us to contact the server that has already exchange the esni keys.

Summary: Do not ad grace to esni records → Do not add grace to esni records

What is the grace added to the TTL? Is it a fixed value?

One case where a too high TTL value caused issues is https://bugzilla.mozilla.org/show_bug.cgi?id=1566175#c43
That was not a Firefox issue, but by the authorative name server responding with a TTL of 1h even when the key rotates in less than that.

Flags: needinfo?(dd.mozilla)

(In reply to Peter Wu from comment #1)

What is the grace added to the TTL? Is it a fixed value?

Yes, it is fix (or somewhat fixed). It is 60s.

One case where a too high TTL value caused issues is https://bugzilla.mozilla.org/show_bug.cgi?id=1566175#c43
That was not a Firefox issue, but by the authorative name server responding with a TTL of 1h even when the key rotates in less than that.

I would expect that adding grace of 60s is fine. Servers must have a graceful rotation of keys that will tolerate 60s grace, but I will double check.

Flags: needinfo?(dd.mozilla)

I got to read the rest of my bug mail. So I could as you, Peter, if a grace of 60s would be a problem?

Flags: needinfo?(peter)

60s is fine for Cloudflare. Even a couple of minutes should be fine. Hours, not so much.

Flags: needinfo?(peter)
Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → INVALID
You need to log in before you can comment on or make changes to this bug.