On Sep 11, 2013, at 7:19 AM, Olafur Gudmundsson <ogud(_at_)ogud(_dot_)com>
wrote:
(Actually... the root nameservers could *almost* provide a workable time
tick for bootstrapping purposes right now: the SOA record for the root
zone encodes today's date in the serial number. So you do the SOA lookup,
set your system clock, attempt validation; on failure, set the clock an
hour forward and try again; on success, use NTP to fine-tune. Klugey! :) )
-
RRSIG on the SOA or NS or DNSKEY also is fine timestamp except when it is a
replay attack or a forgery,
This can actually do it down to 1s precision except in the case of a replay
attack with a dynamically signed name (and if you are facing a replay attack,
you can't trust NTP anyway!):
E.g., this name:
dig +dnssec 10sec100ttlsig.netalyzr-dnssec.com @8.8.8.8
has a RRSIG that expires in +10 seconds (ALWAYS), but has a TTL on the record
that expires in 100 s. This is an example name on my server designed for
allowing single-lookup clockdrift testing on DNSSEC validators.
(The signature is also generated on-the-fly every second its requested, and a
subsequent addition will include the ability to add a NONCE to guarantee
cache-busting, too).
--
Nicholas Weaver it is a tale, told by an idiot,
nweaver(_at_)icsi(_dot_)berkeley(_dot_)edu full of sound and
fury,
510-666-2903 .signifying nothing
PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc
signature.asc
Description: Message signed with OpenPGP using GPGMail