Olafur Gudmundsson wrote:
>> So how do you get the time after you power on the device? The usual
>> answer is "use ntp". Except you can't do a DNS resolve when your
>> time is incorrect. You have a chicken and egg problem to
>> resolve/hack around :-(.
It is one reason why DNSSEC does not worth deploying
> My colleagues and I worked on OpenWrt routers to get Unbound to work there,
> what you need to do is to start DNS up in non-validating mode
> wait for NTP to fix time, then check if the link allows DNSSEC answers
> through, at which point you can enable DNSSEC validation.
That's not secure, especially when some (root, TLD, etc.) expired
zone key is/was compromised.
Masataka Ohta
_______________________________________________
DNSOP mailing list
DNSOP@ietf.org
https://www.ietf.org/mailman/listinfo/dnsop
