Jim: > 1) DNSSEC needs to have the time within one hour. But these devices do not > have TOY clocks (and arguably, never will, nor even probably should ever have > them). > > So how do you get the time after you power on the device? The usual answer > is "use ntp". Except you can't do a DNS resolve when your time is incorrect. > You have a chicken and egg problem to resolve/hack around :-(. > > Securely bootstrapping time in the Internet is something I believe needs > doing.... and being able to do so over wireless links, not just relying on > wired links.
NTP can be used to get time from an IP address. I understand all of the reasons why a DNS name is preferred, but this a bootstrapping problem. RFC 5906 offers a way for NTP responses to be authenticated. So, if the IP address points to a NTP server that will give back a signed response, then the solution seems pretty straightforward. Of course, the vendor will need to make sure that one or more NTP servers are available, and make sure that the public keys are in place to validate the signed NTP responses. Over time these could change, but that could be handled by firmware updates. Many installation procedures include fetching the latest firmware, but DNS and routing need to be working for that to work in this bootstrap environment. Hopefully the firmware is authenticated too. RFC 4108 offers one approach to solving that problem. Russ
