On Wed, Sep 11, 2013 at 12:08 PM, Paul Wouters <paul@xxxxxxxxx> wrote:
-- On Wed, 11 Sep 2013, Joe Abley wrote:The 1h came from the shortest RRSIG validity time in the chain to get to
1. We only need to know the current time to an accuracy of 1 hour.
[RRSIG expiration times are specified with a granularity of a second, right?
I appreciate that most people are generous with signature inception and expiration times in order to facilitate clock skew on validators, but I think "1 hour" needs some qualification.]
pool.ntp.org, but performing a handful of queries now, I cannot find
that magical RRSIG with the 1h validity period.
Note: I also once ran into bad clocks due to dual boot systems with
Windows and Daylight Savings Time, so I explicitely set inception time
to -2h. One hour is not enough on doubly broken systems.
The DNS is the naming infrastructure of the Internet. While it is in theory possible to use the DNS to advertise very rapid changes to Internet infrastructure, the practice is that the Internet infrastructure will look almost exactly the same in one hour's time as it does right now.
Using DNS data from 24 hours earlier might create reliability issues but should never introduce a security risk. Anyone who is relying on the DNS for data that is more time sensitive than 1 hour is doing it wrong.
Website: http://hallambaker.com/