Jim Reid wrote:
>> a serious vulnerability of, so called, DNSSEC is lack of secure time.
>> some security novices innocently believed GPS time were automagically secure.
>> That is, so far, there is no way to have really secure DNSSEC.
>
> Rubbish!
>
> If good timekeeping matters so much to DNSSEC, there are plenty of
> sources of reliable time. For most people, NTP will be good enough.
Very good point.
Then, your problem is that for most people, plain DNS *IS* good
enough and that DNSSEC+NTP does not make it any better.
> The paranoid might choose Secure NTP.
Secure NTP does not solve the operational problem of automatic
key roll over for secure NTP itself.
> The paranoid might choose Secure NTP. The really paranoid will
> have multiple time sources other than GPS: eg the radio clocks
> operated by many national standards institutes and/or the EU,
> Russian and Chinese(?) equivalents of GPS.
The problem is that a quartz clock combined with several
transmiters is good enough to fake GPS data.
> The really, really
> paranoid will operate their own atomic clocks.
While atomic clocks are not very expensive, they don't need
them, because only the really, really, really paranoid use
DNSSEC.
Masataka Ohta
_______________________________________________
DNSOP mailing list
[email protected]
https://www.ietf.org/mailman/listinfo/dnsop
