[Cerowrt-devel] DNSSEC & NTP Bootstrapping -- prototype!

Toke Høiland-Jørgensen toke at toke.dk
Sun Mar 30 14:38:04 EDT 2014

> > Well conceivably you could be in a situation where the roots
> validate,
> > but validation fails further down the chain, making that scheme fail
> in
> > weird and unpredictable ways?
> http://www.bortzmeyer.org/dns-routing-hijack-turkey.html
> ?

I was thinking more about the case where, say, the root server keys validate, but the keys further down the chain have been changed, and the clock is set to a time in the interval between the respective beginnings of validity time... I would think that could happen with no malicious intent way too often for the root keys to be a very useful heuristic to use...


More information about the Cerowrt-devel mailing list