> Oooh, new requirement: the LocalRoot server MUST have an accurate > clock. This is not an entirely trivial requirement on unmanaged > systems, e.g. my oven is right out, and who knows what my CPE is > up to...
So your oven or CPE doesn't know what it is. And now it needs to get the root zone. Does it do that over plain old HTTP? Or Do53? Alternatively, your oven or CPE sends an NTP query to the ntp pool. Now this time may be spoofed, in which case the attacker may provide an old copy of the root zone. If you are that paranoid, you may insist on a TLS connection (even ADoX would do). You can still combine that with a DNSSEC check on the ZONEMD record to prevent using a stale copy of the root zone. _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
