Jim:
1) DNSSEC needs to have the time within one hour. But these devices do not
have TOY clocks (and arguably, never will, nor even probably should ever have
them).
So how do you get the time after you power on the device? The usual answer
is "use ntp". Except you can't do a DNS resolve when your time is incorrect.
You have a chicken and egg problem to resolve/hack around :-(.
Securely bootstrapping time in the Internet is something I believe needs
doing.... and being able to do so over wireless links, not just relying on
wired links.
NTP can be used to get time from an IP address. I understand all of the
reasons why a DNS name is preferred, but this a bootstrapping problem.
RFC 5906 offers a way for NTP responses to be authenticated. So, if the IP
address points to a NTP server that will give back a signed response, then the
solution seems pretty straightforward.
Of course, the vendor will need to make sure that one or more NTP servers are
available, and make sure that the public keys are in place to validate the
signed NTP responses. Over time these could change, but that could be handled
by firmware updates. Many installation procedures include fetching the latest
firmware, but DNS and routing need to be working for that to work in this
bootstrap environment. Hopefully the firmware is authenticated too. RFC 4108
offers one approach to solving that problem.
Russ