On Sep 11, 2013, at 7:19 AM, Olafur Gudmundsson <ogud@xxxxxxxx> wrote: >> (Actually... the root nameservers could *almost* provide a workable time >> tick for bootstrapping purposes right now: the SOA record for the root >> zone encodes today's date in the serial number. So you do the SOA lookup, >> set your system clock, attempt validation; on failure, set the clock an >> hour forward and try again; on success, use NTP to fine-tune. Klugey! :) ) >> >> - > > RRSIG on the SOA or NS or DNSKEY also is fine timestamp except when it is a > replay attack or a forgery, This can actually do it down to 1s precision except in the case of a replay attack with a dynamically signed name (and if you are facing a replay attack, you can't trust NTP anyway!): E.g., this name: dig +dnssec 10sec100ttlsig.netalyzr-dnssec.com @8.8.8.8 has a RRSIG that expires in +10 seconds (ALWAYS), but has a TTL on the record that expires in 100 s. This is an example name on my server designed for allowing single-lookup clockdrift testing on DNSSEC validators. (The signature is also generated on-the-fly every second its requested, and a subsequent addition will include the ability to add a NONCE to guarantee cache-busting, too). -- Nicholas Weaver it is a tale, told by an idiot, nweaver@xxxxxxxxxxxxxxxxx full of sound and fury, 510-666-2903 .signifying nothing PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
Attachment:
signature.asc
Description: Message signed with OpenPGP using GPGMail