Re: [DNSOP] Practical issues deploying DNSSEC into the home.

ietf

Re: [DNSOP] Practical issues deploying DNSSEC into the home.

2013-09-12 10:28:50

On Wed, 11 Sep 2013, Joe Abley wrote:


1. We only need to know the current time to an accuracy of 1 hour.


[RRSIG expiration times are specified with a granularity of a second, right?

I appreciate that most people are generous with signature inception and expiration times 
in order to facilitate clock skew on validators, but I think "1 hour" needs 
some qualification.]


The 1h came from the shortest RRSIG validity time in the chain to get to
pool.ntp.org, but performing a handful of queries now, I cannot find
that magical RRSIG with the 1h validity period.

Note: I also once ran into bad clocks due to dual boot systems with
Windows and Daylight Savings Time, so I explicitely set inception time
to -2h. One hour is not enough on doubly broken systems.

Paul

[More with this subject...]

<Prev in Thread]	Current Thread	[Next in Thread>
Re: Practical issues deploying DNSSEC into the home., (continued) Re: Practical issues deploying DNSSEC into the home., David Morris Re: [DNSOP] Practical issues deploying DNSSEC into the home., Olafur Gudmundsson Re: [DNSOP] Practical issues deploying DNSSEC into the home., Paul Wouters Re: [DNSOP] Practical issues deploying DNSSEC into the home., David Morris Re: Practical issues deploying DNSSEC into the home., Olafur Gudmundsson Re: [DNSOP] Practical issues deploying DNSSEC into the home., Evan Hunt Re: [DNSOP] Practical issues deploying DNSSEC into the home., Olafur Gudmundsson Re: [DNSOP] Practical issues deploying DNSSEC into the home., Nicholas Weaver Re: [DNSOP] Practical issues deploying DNSSEC into the home., Phillip Hallam-Baker Re: [DNSOP] Practical issues deploying DNSSEC into the home., Joe Abley Re: [DNSOP] Practical issues deploying DNSSEC into the home., Paul Wouters <= Re: [DNSOP] Practical issues deploying DNSSEC into the home., Phillip Hallam-Baker Re: [DNSOP] Practical issues deploying DNSSEC into the home., Nicholas Weaver Re: [DNSOP] Practical issues deploying DNSSEC into the home., Phillip Hallam-Baker Re: [DNSOP] Practical issues deploying DNSSEC into the home., Theodore Ts'o Re: [DNSOP] Practical issues deploying DNSSEC into the home., Masataka Ohta Re: [DNSOP] Practical issues deploying DNSSEC into the home., Martin Rex Re: [DNSOP] Practical issues deploying DNSSEC into the home., Masataka Ohta Re: [DNSOP] Practical issues deploying DNSSEC into the home., Tony Finch Re: [DNSOP] Practical issues deploying DNSSEC into the home., Ted Lemon Re: [DNSOP] Practical issues deploying DNSSEC into the home., Masataka Ohta

Previous by Date:	Re: [v6ops] Last Call: <draft-ietf-v6ops-mobile-device-profile-04.txt> (Internet Protocol Version 6 (IPv6) Profile for 3GPP Mobile Devices) to Informational RFC, Owen DeLong
Next by Date:	Re: [DNSOP] Practical issues deploying DNSSEC into the home., Paul Wouters
Previous by Thread:	Re: [DNSOP] Practical issues deploying DNSSEC into the home., Joe Abley
Next by Thread:	Re: [DNSOP] Practical issues deploying DNSSEC into the home., Phillip Hallam-Baker
Indexes:	[Date] [Thread] [Top] [All Lists]