In message <[email protected]>, Masataka Ohta writes: > Hosnieh Rafiee wrote: > > > I have gathered some vulnerabilities in the current DNS security approaches > > such as DNSSEC and etc. We think it is useful to have a survey of existing > > vulnerabilities or any new vulnerabilities so that we can address those > > issues in other standard RFC. This is why we plan to write a new > > informational draft. > > As was discussed recently in IETF ML, a serious vulnerability of, > so called, DNSSEC is lack of secure time. > > In the discussion, there is no practical solution against it, > though some security novices innocently believed GPS time were > automagically secure. > > That is, so far, there is no way to have really secure DNSSEC. > > Masataka Ohta
DNSSEC requires everyone to be using roughly the same concept of the current time. It doesn't have to be particularly accurately set. You don't need to run NTP or anything else to keep it in sync. Just set the clock on your validating resolver the way you would your wrist watch once a year/month and as long as it is has a battery backup you will be fine. Mark > > There is currently one old RFC that address the DNS vulnerabilities: > > http://tools.ietf.org/html/rfc3833 > > > > So, we welcome any ideas about this work. > > > > Thanks, > > Best, > > Hosnieh > > > > > > > > _______________________________________________ > > DNSOP mailing list > > [email protected] > > https://www.ietf.org/mailman/listinfo/dnsop > > > > > > _______________________________________________ > dnsext mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsext -- Mark Andrews, ISC 1 Seymour St., Dundas Valley, NSW 2117, Australia PHONE: +61 2 9871 4742 INTERNET: [email protected] _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
