Hi Jim, On 2013-09-10, at 11:55, Jim Gettys <jg@xxxxxxxxxxxxxxx> wrote: > We uncovered two practical problems, both of which need to be solved to enable full DNSSEC deployment into the home: > > 1) DNSSEC needs to have the time within one hour. But these devices do not have TOY clocks (and arguably, never will, nor even probably should ever have them). > > So how do you get the time after you power on the device? The usual answer is "use ntp". Except you can't do a DNS resolve when your time is incorrect. You have a chicken and egg problem to resolve/hack around :-(. > > Securely bootstrapping time in the Internet is something I believe needs doing.... and being able to do so over wireless links, not just relying on wired links. Dave and I wrote up a proposal for this, which may be of interest. If you find this document, let me know and we can work to rejuvenate it (it withered on the I-D vine). http://tools.ietf.org/html/draft-jabley-dnsop-validator-bootstrap-00 > 2) when you install a new home router, you may want to generate certificates for that home domain (particularly so it can be your primary name server, which you'd really like to be under your control anyway, rather than delegating to someone else who could either intentionally on unintentionally subvert your domain). I think as a starting point, you could safely assume that any local domain you host for the purpose of home users could be unsigned. Users behind the home gateway are trusting the cache on the home gateway anyway; serving signed, authoritative local data doesn't seem like it would add much benefot over serving the same data unsigned. Joe