On Wed, Apr 02, 2014 at 11:33:20AM -0400, Ted Lemon wrote: > Bear in mind that all you _really_ have to do is get a bogus ZSK with the > current time into the resolver, which you may be able to do with some > clever NTP shenanigans over a relatively short timescale. But yeah, > this isn't likely to be useful except in cases where a device has been > powered off, doesn't have an accurate battery-backed-up clock, and does > DNSSEC, which is a weird set of circumstances.
I predict that will be a less weird set of circumstances in a year or so: dnsmasq now has DNSSEC validation in beta. (Tony Finch has a nifty idea to replace ntpdate with a quorum of tlsdate responses; it might still be subvertible but it would be a much harder nut to crack. https://git.csx.cam.ac.uk/x/ucs/u/fanf2/temporum.git) -- Evan Hunt -- e...@isc.org Internet Systems Consortium, Inc. _______________________________________________ DNSOP mailing list DNSOP@ietf.org https://www.ietf.org/mailman/listinfo/dnsop