ietf
[Top] [All Lists]

Re: [DNSOP] Practical issues deploying DNSSEC into the home.

2013-09-11 11:20:18
On Wed, Sep 11, 2013 at 12:08 PM, Paul Wouters <paul(_at_)nohats(_dot_)ca> 
wrote:

On Wed, 11 Sep 2013, Joe Abley wrote:


1. We only need to know the current time to an accuracy of 1 hour.


[RRSIG expiration times are specified with a granularity of a second,
right?

I appreciate that most people are generous with signature inception and
expiration times in order to facilitate clock skew on validators, but I
think "1 hour" needs some qualification.]


The 1h came from the shortest RRSIG validity time in the chain to get to
pool.ntp.org, but performing a handful of queries now, I cannot find
that magical RRSIG with the 1h validity period.

Note: I also once ran into bad clocks due to dual boot systems with
Windows and Daylight Savings Time, so I explicitely set inception time
to -2h. One hour is not enough on doubly broken systems.


The DNS is the naming infrastructure of the Internet. While it is in theory
possible to use the DNS to advertise very rapid changes to Internet
infrastructure, the practice is that the Internet infrastructure will look
almost exactly the same in one hour's time as it does right now.

Using DNS data from 24 hours earlier might create reliability issues but
should never introduce a security risk. Anyone who is relying on the DNS
for data that is more time sensitive than 1 hour is doing it wrong.



-- 
Website: http://hallambaker.com/
<Prev in Thread] Current Thread [Next in Thread>