On 2026-03-05 19:34 UTC, Joe Abley <[email protected]> wrote:
> On 5 Mar 2026, at 19:26, Philip Homburg <[email protected]> wrote:
>
>> So your oven or CPE doesn't know what it is. And now it needs to get
>> the root zone. Does it do that over plain old HTTP? Or Do53?
>
> I think the point is how to validate what you retrieve, not how you retrieve
> it.
>
> Years ago Dave Knight and I wrote a document that described how a
> validator might bootstrap itself from cold, first start. One of the
> imagined purposes of what we wrote was to provide guidance to
> unattended, unmanaged devices of which the aforementioned oven that is
> apparently running a resolver with local root might be an implausible
> example.
>
> In that document we described a state machine of requirements before
> validation could take place, including trust anchor retrieval and
> gaining a sufficiently accurate sense of time.
>
> I think the point with this oven is not that it needs an accurate
> clock to do localroot, it's that it needs an accurate clock (amongst
> other things) to do DNSSEC validation. It's the ability to validate
> that would be the direct requirement for localroot.
Indeed, draft-wkumari-dnsop-localroot-bcp-03, 3.2. point 4:
4. Having successfully downloaded a copy of the IANA root zone, the
LocalRoot implementation MUST verify the contents of the IANA
root zone data using the ZONEMD [RFC8976] record contained within
it. Note that this REQUIRES verification of the ZONEMD record
using DNSSEC [BCP237] with the configured IANA root zone trust
anchor.
The problem is, typical off-the-shelf validating resolvers do not check
if they have an accurate time, they assume that they do. (Rightly so, I
would say, it's the problem of the OS to provide accurate time).
Now, I'm hearing an intention that LocalRoot should be on by
default. I'm not convinced that the typical CPE vendor appreciates the
consequences if they bring in an off-the-shelf-resolver that turns this
on. I.e. suddenly they have to have accurate time before they can turn on
the local resolver, while in the past there was probably not a hard
requirement on accurate time on the CPE.
>
> https://datatracker.ietf.org/doc/html/draft-jabley-dnsop-validator-bootstrap
>
> (I still think this document is useful and would be happy to dig it out of
> the grave if anybody else also thinks that.)
>
>
> Joe
--
In my defence, I have been left unsupervised.
_______________________________________________
DNSOP mailing list -- [email protected]
To unsubscribe send an email to [email protected]
