ietf
[Top] [All Lists]

Re: [DNSOP] Practical issues deploying DNSSEC into the home.

2013-09-12 04:40:33
Phillip Hallam-Baker <hallam(_at_)gmail(_dot_)com> wrote:

2. The current time is a matter of convention rather than a natural
property. It is therefore impossible to determine the time without
reference to at least one trusted party.

Preferably more than one so you can use quorum agreement and minimize the
amount of trust you put in any single time reference.

4) In the case of DNSSEC the window of vulnerability is actually fairly
small since rewinding the time to a date in the past only helps an attacker
if they had compromised the system on that date.

So if you rely on RRSIG timestamps or SOA serial numbers to get the time,
an attacker that manages to compromise DNSSEC can replay that compromise
indefinitely.

The real design decision is who you decide you are going to rely on for
(3). TLS is proof against replay attack due to the exchange of nonces.

Right.

Tony.
-- 
f.anthony.n.finch  <dot(_at_)dotat(_dot_)at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.