>Now after 10 years after plugging the first one in, I take the second one >off the shelf and plug it in. It will now not work because there has been >a root zone key rollover. I am told this is by design. This makes me a sad >panda. > >We have a bootstrapping problem. My device has no way to know what time it >is so it can't verify certificates that might be used to update the key >material, and by above design decision, DNSSEC doesn't work.
Recently, there was some discussion in homenet related to this topic, in particular how does a device without battery backed RTC obtain the current time. I think that ideally this should be discussed in a security related working group. Because a lot of this is basically how we can have long term stable (online) signature keys. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop