On Tue, 1 Feb 2011, Brian Dickson wrote:
However, once you have a trust anchor (root key) that you have a lot
of confidence in, you can then do some cute DNSSEC tricks to get a
rough idea of time, and then a better idea of time.
First, look at the contents of the RRSIGs for the root. If you believe
the RRSIGs, you also necessarily believe that the current time must be
within the start/end time of those RRSIGs.
But if the rootkey was compromised, so would the RRSIGs? At least for the
view of the device - if the attacker cannot fool the client that the old
compromised root key is the real one, or preset a fake successor in some
history zone, then the attacker lost anyway.
Next, consider what needs to happen for TLDs that update very frequently.
When they update, their SOA SN needs to change.
And, if they are signed zones, the SOA record's RRSIG needs to be
generated when this happens.
Using the start date/time of such an RRSIG on the SOA for such a zone,
should give a pretty good value for the current time, to at least an
accuracy of a couple of minutes.
That actually is a nice trick. Though I don't think it gets you acuracy on
the minute, but hours surely. org. got me witin an hour, gov. within 3 hours.
This may be good enough for DNSSEC purposes.
At least to then do ntp and and see that it matches our rough expectation.
Though in all, if the attacker is your controlling upstream, you are lost.
Paul
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
