Hi Jim,
On 2013-09-10, at 11:55, Jim Gettys <jg(_at_)freedesktop(_dot_)org> wrote:
We uncovered two practical problems, both of which need to be solved to
enable full DNSSEC deployment into the home:
1) DNSSEC needs to have the time within one hour. But these devices do not
have TOY clocks (and arguably, never will, nor even probably should ever have
them).
So how do you get the time after you power on the device? The usual answer
is "use ntp". Except you can't do a DNS resolve when your time is incorrect.
You have a chicken and egg problem to resolve/hack around :-(.
Securely bootstrapping time in the Internet is something I believe needs
doing.... and being able to do so over wireless links, not just relying on
wired links.
Dave and I wrote up a proposal for this, which may be of interest. If you find
this document, let me know and we can work to rejuvenate it (it withered on the
I-D vine).
http://tools.ietf.org/html/draft-jabley-dnsop-validator-bootstrap-00
2) when you install a new home router, you may want to generate certificates
for that home domain (particularly so it can be your primary name server,
which you'd really like to be under your control anyway, rather than
delegating to someone else who could either intentionally on unintentionally
subvert your domain).
I think as a starting point, you could safely assume that any local domain you
host for the purpose of home users could be unsigned. Users behind the home
gateway are trusting the cache on the home gateway anyway; serving signed,
authoritative local data doesn't seem like it would add much benefot over
serving the same data unsigned.
Joe