Tony Finch <[email protected]> wrote: > Joe Abley <[email protected]> wrote: > > > > I think validation categorically needs to be off until the validator has > > been bootstrapped (not just for this proposal, but in general). No > > validation is possible before you have a stable sense of time and a > > trusted set of local DNSSEC trust anchors. Acting as though you are > > validating when you can't possibly be seems like a bad idea, since if > > you can game validators to get stuck in that state you've defeated > > DNSSEC. > > We-e-e-e-ell yes, except that you seem to have missed the fact that a > witness trust anchor DOES allow you to validate that witness's zone, using > normal validation logic. It is the combination of multiple witnesses that > allows you to update the root trust anchor, after which you can validate > the rest of the DNS. The root-witnesses.arpa zone is carefully designed to > make it possible to resolve and validate the witnesses when the rest of > the DNS cannot be validated. > > Time is an interesting point.
Sorry, I got distracted by children when writing my previous message... When establishing the current time, it is necessary to run in a special validating mode which checks everything except for signature and certificate validity times. You have to authenticate your time servers, otherwise you are vulnerable to MitM attack. Given that, a MitM is able to spoof old signatures from a compromised witness (say), but that is not enough to compromise the whole process unless the MitM has a whole quorum of compromised witnesses. Make the quorum big enough and that will be vanishingly unlikely. Tony. -- f.anthony.n.finch <[email protected]> http://dotat.at/ Viking, North Utsire, South Utsire: Southeasterly 5 to 7, occasionally gale 8 in Viking. Moderate or rough. Rain or showers. Moderate or good. _______________________________________________ DNSOP mailing list [email protected] https://www.ietf.org/mailman/listinfo/dnsop
