How could a "local time problem" lead to using an "expired (zone) key" for arbitrary data of the zone ? ~ DNSKEY info itself does not expire - only signatures have expiration date ~ admitting a "local time problem" can allow for replay attacks in the sense of : "making a validating resolver believe the RRSIG is still within validity time". Do not overlook the fact that the public key is still required to perform the validation itself !
So, I think you actually make a case for not letting "no longer used" DNSKEY information linger in the zone file. Overall, assuming a DNS reply for www.example.com. with a signed but expired signature, would also need the no longer used zone signing key signed with the key signing key (possibly also expired) (and things get even more complicated if the key signing key has been rotated as well) So, there is still a lot of value in validating DNSSEC responses. Kind regards, Marc On Mon, Oct 28, 2013 at 5:07 AM, Masataka Ohta < [email protected]> wrote: > (partly removed) > > The problem is that, without human intervention by skilled > operators, clocks can be very inaccurate. > > Then, a compromised and expired zone key can be used for > arbitrary data of the zone, which is more serious than > replay attack. > > Masataka Ohta > > _______________________________________________ > dnsext mailing list > [email protected] > https://www.ietf.org/mailman/listinfo/dnsext >
_______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
