Florian Obser <[email protected]> writes: > 4. Having successfully downloaded a copy of the IANA root zone, the > LocalRoot implementation MUST verify the contents of the IANA > root zone data using the ZONEMD [RFC8976] record contained within > it. Note that this REQUIRES verification of the ZONEMD record > using DNSSEC [BCP237] with the configured IANA root zone trust > anchor. > > The problem is, typical off-the-shelf validating resolvers do not check > if they have an accurate time, they assume that they do. (Rightly so, I > would say, it's the problem of the OS to provide accurate time).
So, the new LocalRoot documents (currently) requires you validate the ZONEMD record using DNSSEC. DNSSEC requires that you have an accurate clock (or else the inception and expiration times are already a problem). So I don't think that the LocalRoot documents need to explicitly state (again) that an accurate clock is needed, because it's already implied by the requirement for using DNSSEC. IMHO. -- Wes Hardaker Google _______________________________________________ DNSOP mailing list -- [email protected] To unsubscribe send an email to [email protected]
