[Cerowrt-devel] DNSSEC & NTP Bootstrapping

Aaron Wood woody77 at gmail.com
Sun Mar 23 08:22:30 EDT 2014

On Sun, Mar 23, 2014 at 12:15 PM, Toke Høiland-Jørgensen <toke at toke.dk>wrote:

> Aaron Wood <woody77 at gmail.com> writes:
> > or we find a way to have long-lived dnssec entries.
> Is the timing controllable somehow? I.e. would it be possible to set up
> a special domain name with a really long-lived key that could be queried
> indefinitely for the IP address of one or more NTP servers, even in the
> face of an a wrong clock?

My understanding (albeit, not a deep one) is that the dnssec keys all have
a fairly short expiration, just a few months.  It would be nice if they
were longer-lived (in this particular case), but you still have an issue of
needing to decide what time is "now", within a reasonable degree, in order
to validate the domain.  Alternatively, you assume that you don't care
about the timeliness of the entry, for the resolution of ntp server names,
and then you have to somehow convey to the resolver that you want a secure
lookup, but it's ok if it's expired (or too new, or...), which gets back to
some of the earlier parts of this discussion.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140323/354f0c34/attachment-0002.html>

More information about the Cerowrt-devel mailing list