Re: [DNSOP] Practical issues deploying DNSSEC into the home.

On Sep 11, 2013, at 7:19 AM, Olafur Gudmundsson <ogud(_at_)ogud(_dot_)com> 
wrote:
> > (Actually... the root nameservers could *almost* provide a workable time
> > tick for bootstrapping purposes right now: the SOA record for the root
> > zone encodes today's date in the serial number.  So you do the SOA lookup,
> > set your system clock, attempt validation; on failure, set the clock an
> > hour forward and try again; on success, use NTP to fine-tune. Klugey! :) )
> >
> > -
> RRSIG on the SOA or NS or DNSKEY also is fine timestamp except when it is a 
> replay attack or a forgery, 

This can actually do it down to 1s precision except in the case of a replay 
attack with a dynamically signed name (and if you are facing a replay attack, 
you can't trust NTP anyway!):

E.g., this name:

dig +dnssec 10sec100ttlsig.netalyzr-dnssec.com @8.8.8.8

has a RRSIG that expires in +10 seconds (ALWAYS), but has a TTL on the record 
that expires in 100 s.  This is an example name on my server designed for 
allowing single-lookup clockdrift testing on DNSSEC validators.

(The signature is also generated on-the-fly every second its requested, and a 
subsequent addition will include the ability to add a NONCE to guarantee 
cache-busting, too).

--
Nicholas Weaver                  it is a tale, told by an idiot,
nweaver(_at_)icsi(_dot_)berkeley(_dot_)edu                full of sound and 
fury,
510-666-2903                                 .signifying nothing
PGP: http://www1.icsi.berkeley.edu/~nweaver/data/nweaver_pub.asc

signature.asc
Description: Message signed with OpenPGP using GPGMail