On Wed, 11 Sep 2013, Olafur Gudmundsson wrote:
I think you can avoid that issue by having the device not pass traffic
until the DNSSEC validation is enabled. Only the device needs the special
permissive handling for this to work.
You mean only allow NTP and DNS traffic in the beginning, until
OK lets consider the trust requirements here.
1. We only need to know the current time to an accuracy of 1 hour.
2. The current time is a matter of convention rather than a natural
property. It is therefore impossible to determine the time without
reference to at least one trusted party.
2a) A t
On 2013-09-11, at 11:43, Phillip Hallam-Baker wrote:
> OK lets consider the trust requirements here.
>
> 1. We only need to know the current time to an accuracy of 1 hour.
[RRSIG expiration times are specified with a granularity of a second, right?
I appreciate that most people are generous w
On Sep 11, 2013, at 12:38 PM, Phillip Hallam-Baker wrote:
>>
>> I disagree. DNSSEC is not just DNS: its the only available, deployed, and
>> (mostly) accessible global PKI currently in existence which also includes a
>> constrained path of trust which follows already established business
>>
On Wed, Sep 11, 2013 at 12:26 PM, Nicholas Weaver wrote:
>
> On Sep 11, 2013, at 9:18 AM, Phillip Hallam-Baker
> wrote:
> >
> > The DNS is the naming infrastructure of the Internet. While it is in
> theory possible to use the DNS to advertise very rapid changes to Internet
> infrastructure, the
On Wed, 11 Sep 2013, Joe Abley wrote:
1. We only need to know the current time to an accuracy of 1 hour.
[RRSIG expiration times are specified with a granularity of a second, right?
I appreciate that most people are generous with signature inception and expiration times
in order to facilita
On Wed, Sep 11, 2013 at 12:08 PM, Paul Wouters wrote:
> On Wed, 11 Sep 2013, Joe Abley wrote:
>
>
>>> 1. We only need to know the current time to an accuracy of 1 hour.
>>>
>>
>> [RRSIG expiration times are specified with a granularity of a second,
>> right?
>>
>> I appreciate that most people ar
On Sep 11, 2013, at 9:18 AM, Phillip Hallam-Baker wrote:
>
> The DNS is the naming infrastructure of the Internet. While it is in theory
> possible to use the DNS to advertise very rapid changes to Internet
> infrastructure, the practice is that the Internet infrastructure will look
> almost
On Sep 10, 2013, at 6:45 PM, Evan Hunt wrote:
> On Tue, Sep 10, 2013 at 05:59:52PM -0400, Olafur Gudmundsson wrote:
>> My colleagues and I worked on OpenWrt routers to get Unbound to work
>> there, what you need to do is to start DNS up in non-validating mode wait
>> for NTP to fix time, then ch
On Sep 10, 2013, at 8:17 PM, David Morris wrote:
>
>
> On Wed, 11 Sep 2013, Brian E Carpenter wrote:
>
>> On 11/09/2013 09:59, Olafur Gudmundsson wrote:
>> ...
>>> My colleagues and I worked on OpenWrt routers to get Unbound to work there,
>>> what you need to do is to start DNS up in non-va
On Sep 10, 2013, at 7:17 PM, Brian E Carpenter
wrote:
> On 11/09/2013 09:59, Olafur Gudmundsson wrote:
> ...
>> My colleagues and I worked on OpenWrt routers to get Unbound to work there,
>> what you need to do is to start DNS up in non-validating mode
>> wait for NTP to fix time, then check i
On Sep 11, 2013, at 7:19 AM, Olafur Gudmundsson wrote:
>> (Actually... the root nameservers could *almost* provide a workable time
>> tick for bootstrapping purposes right now: the SOA record for the root
>> zone encodes today's date in the serial number. So you do the SOA lookup,
>> set your sy
On Wed, 11 Sep 2013, Brian E Carpenter wrote:
> On 11/09/2013 09:59, Olafur Gudmundsson wrote:
> ...
> > My colleagues and I worked on OpenWrt routers to get Unbound to work there,
> > what you need to do is to start DNS up in non-validating mode
> > wait for NTP to fix time, then check if the
13 matches
Mail list logo
