Olafur Gudmundsson wrote: >> So how do you get the time after you power on the device? The usual >> answer is "use ntp". Except you can't do a DNS resolve when your >> time is incorrect. You have a chicken and egg problem to >> resolve/hack around :-(.
It is one reason why DNSSEC does not worth deploying > My colleagues and I worked on OpenWrt routers to get Unbound to work there, > what you need to do is to start DNS up in non-validating mode > wait for NTP to fix time, then check if the link allows DNSSEC answers > through, at which point you can enable DNSSEC validation. That's not secure, especially when some (root, TLD, etc.) expired zone key is/was compromised. Masataka Ohta _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop