Hi Jim,
At 08:55 10-09-2013, Jim Gettys wrote:
We uncovered two practical problems, both of which need to be solved
to enable full DNSSEC deployment into the home:
1) DNSSEC needs to have the time within one hour. But these devices
do not have TOY clocks (and arguably, never will, nor even probably
should ever have them).
So how do you get the time after you power on the device? The usual
answer is "use ntp". Except you can't do a DNS resolve when your
time is incorrect. You have a chicken and egg problem to
resolve/hack around :-(.
That problem has been bothering me for a while. There can be a leap
of faith at startup to get the correct time. DNSSEC can be done after that.
Regards,
-sm