Jim Gettys wrote:
Radio clock receivers often don't work where these devices are deployed
(like in my basement). Not enough view of the sky (and multiple layers of
floors). Radios are nice to have, but can't be guaranteed to work.
No, the problem of radio clock is not its availability but
On Fri, Sep 13, 2013 at 5:33 PM, Glen Wiley glen.wi...@gmail.com wrote:
This discussion highlights the importance of making sure that hardware
vendors understand the need for working clocks that can be easily
bootstrapped. In addition to NTP radio clock receivers are ubiquitous,
tiny and
Dickson, Brian wrote:
In order to subvert or redirect a delegation, the TLD operator (or
registrar) would need to change the DNS server name/IP, and replace the DS
record(s).
Only to a victim to be deceived.
This would be immediately evident to the domain owner, when they query the
TLD
Hi Paul,
At 08:17 12-09-2013, Paul Wouters wrote:
the NSA's Key Recovery Service. Secondly, if the web site has all
http://www.youtube.com/watch?v=-qrlDGhoI1Q
See above. But also, you can use various open resolvers. The Fedora
Project even runs a few for dnssec-trigger that are accessable
Hi Tony,
At 05:27 12-09-2013, Tony Finch wrote:
But if you care about security you can - with useful effect - choose a
registrar with better security processes, and you can use a registry lock
to prevent other registrars from undermining that security.
There is a well-known domain for a
On Sat, 14 Sep 2013, SM wrote:
See above. But also, you can use various open resolvers. The Fedora
Project even runs a few for dnssec-trigger that are accessable only via
TCP - I'm hoping more people will put up TCP-only open resolvers,
especially with:
RFC 5358 has a SHOULD NOT for open
On Wed, 11 Sep 2013, Olafur Gudmundsson wrote:
On Sep 10, 2013, at 8:17 PM, David Morris d...@xpasc.com wrote:
On Wed, 11 Sep 2013, Brian E Carpenter wrote:
On 11/09/2013 09:59, Olafur Gudmundsson wrote:
...
My colleagues and I worked on OpenWrt routers to get Unbound to
Ted,
What I like about this message is that you have demonstrated the
*potential* severability of these issues. Things are set up as they are
for a matter of scaling. Clearly it ain't perfect, and as one of my
mentors would say, that represents an opportunity. It's also pretty
clear that we
Phillip Hallam-Baker hal...@gmail.com wrote:
2. The current time is a matter of convention rather than a natural
property. It is therefore impossible to determine the time without
reference to at least one trusted party.
Preferably more than one so you can use quorum agreement and minimize
On Thu, 12 Sep 2013, Theodore Ts'o wrote:
More importantly, what problem do people think DNSSEC is going to
solve?
It is still a hierarchical model of trust. So at the top, if you
don't trust Verisign for the .COM domain and PIR for the .ORG domain
(and for people who are worried about the
On Thu, Sep 12, 2013 at 10:22:10AM -0400, Paul Wouters wrote:
Any co-ercing that happens has to be globally visible, if the target
ensures he is using random nameservers to query for data.
Not necessarily. First of all, an active attacker located close to
the target can simply replace the
On Sep 12, 2013, at 7:24 AM, Theodore Ts'o ty...@mit.edu wrote:
It is still a hierarchical model of trust. So at the top, if you
don't trust Verisign for the .COM domain and PIR for the .ORG domain
(and for people who are worried about the NSA, both of these are US
corporations), the whole
On Thu, 12 Sep 2013, Theodore Ts'o wrote:
Any co-ercing that happens has to be globally visible, if the target
ensures he is using random nameservers to query for data.
Not necessarily. First of all, an active attacker located close to
the target can simply replace the DNS replies with bogus
On Wed, Sep 11, 2013 at 03:38:21PM -0400, Phillip Hallam-Baker wrote:
I disagree. DNSSEC is not just DNS: its the only available, deployed, and
(mostly) accessible global PKI currently in existence which also includes a
constrained path of trust which follows already established business
On Sep 12, 2013, at 7:24 AM, Theodore Ts'o ty...@mit.edu wrote:
It is still a hierarchical model of trust. So at the top, if you
don't trust Verisign for the .COM domain and PIR for the .ORG domain
(and for people who are worried about the NSA, both of these are US
corporations), the whole
On Thu, Sep 12, 2013 at 04:46:01PM +, Ted Lemon wrote:
The model for this sort of validation is really not on a per-client
basis, but rather depends on routine cross-validation by various
DNSSEC operators throughout the network. This will not necessarily
catch a really focused attack,
On Sep 12, 2013, at 1:21 PM, Theodore Ts'o ty...@mit.edu wrote:
Still, I agree with the general precept that perfect should not enemy
of the better, and DNSSEC certainly adds value. I just get worried
about people who seem to think that DNSSEC is a panacea.
Me too. It most certainly is not.
On Sep 12, 2013, at 2:35 PM, Phillip Hallam-Baker hal...@gmail.com wrote:
It would work just fine if the attacker did not mind if the surveillance was
detected or actually wanted people to know they were being watched to
intimidate them.
Yup,neither PKI nor DNSSEC address that threat model.
Chiming in a bit late here, however, the availability of stratum 1 clocks
and stratum 2 class time data on non IP and/or non interconnected networks
is now so large, I question why one would run NTP outside of the building
in many cases, certainly in an enterprise of any size.
A 1pulse per second
On Thu, Sep 12, 2013 at 1:21 PM, Theodore Ts'o ty...@mit.edu wrote:
On Thu, Sep 12, 2013 at 04:46:01PM +, Ted Lemon wrote:
The model for this sort of validation is really not on a per-client
basis, but rather depends on routine cross-validation by various
DNSSEC operators throughout
On 9/12/13 7:24 AM, Theodore Ts'o ty...@mit.edu wrote:
On Wed, Sep 11, 2013 at 03:38:21PM -0400, Phillip Hallam-Baker wrote:
I disagree. DNSSEC is not just DNS: its the only available,
deployed, and
(mostly) accessible global PKI currently in existence which also
includes a
constrained
On Sep 12, 2013, at 11:07 AM, Theodore Ts'o ty...@mit.edu wrote:
Finally, if you think the target can try to find random caching
nameservers all across the networ to use, (a) there are certain
environments where this is not allowed --- some ISP's or hotel/coffee
shop/airline's networks require
On 9/12/13 2:07 PM, Ted Lemon ted.le...@nominum.com wrote:
On Sep 12, 2013, at 1:49 PM, Dickson, Brian bdick...@verisign.com
wrote:
In order to subvert or redirect a delegation, the TLD operator (or
registrar) would need to change the DNS server name/IP, and replace the
DS
record(s).
Someone
On Thu, Sep 12, 2013 at 2:07 PM, Ted Lemon ted.le...@nominum.com wrote:
On Sep 12, 2013, at 1:49 PM, Dickson, Brian bdick...@verisign.com
wrote:
In order to subvert or redirect a delegation, the TLD operator (or
registrar) would need to change the DNS server name/IP, and replace the
DS
On Sep 12, 2013, at 3:16 PM, Dickson, Brian bdick...@verisign.com wrote:
Excluding the direct methods of acquisition, let us consider the level of
effort involved in recreating the root key, by brute force.
I think we can assume that they would use some fairly subtle attack to get the
key, and
On Sep 12, 2013, at 1:49 PM, Dickson, Brian bdick...@verisign.com wrote:
In order to subvert or redirect a delegation, the TLD operator (or
registrar) would need to change the DNS server name/IP, and replace the DS
record(s).
Someone who possesses the root key could in principle create a fake
Ted Lemon wrote:
This isn't _quite_ true. DNSSEC supports trust anchors at
any point in the hierarchy, and indeed I think the right
model for DNSSEC is that you would install trust anchors
for things you really care about, and manage them in the
same way that you manage your root trust
robert bownes wrote:
A 1pulse per second aligned to GPS is good to a few ns. Fairly
straightforward to plug into even a OpenWrt type of router. Turn on
the pps
in NTP on the router and you are good to go.
Faking GPS signal is trivially easy.
Iraq successfully captured US unmanned plain,
On Wed, 11 Sep 2013, Brian E Carpenter wrote:
On 11/09/2013 09:59, Olafur Gudmundsson wrote:
...
My colleagues and I worked on OpenWrt routers to get Unbound to work there,
what you need to do is to start DNS up in non-validating mode
wait for NTP to fix time, then check if the link
On Sep 10, 2013, at 8:17 PM, David Morris d...@xpasc.com wrote:
On Wed, 11 Sep 2013, Brian E Carpenter wrote:
On 11/09/2013 09:59, Olafur Gudmundsson wrote:
...
My colleagues and I worked on OpenWrt routers to get Unbound to work there,
what you need to do is to start DNS up in
On Sep 10, 2013, at 6:45 PM, Evan Hunt e...@isc.org wrote:
On Tue, Sep 10, 2013 at 05:59:52PM -0400, Olafur Gudmundsson wrote:
My colleagues and I worked on OpenWrt routers to get Unbound to work
there, what you need to do is to start DNS up in non-validating mode wait
for NTP to fix time,
On Sep 11, 2013, at 9:18 AM, Phillip Hallam-Baker hal...@gmail.com wrote:
The DNS is the naming infrastructure of the Internet. While it is in theory
possible to use the DNS to advertise very rapid changes to Internet
infrastructure, the practice is that the Internet infrastructure will
On Wed, Sep 11, 2013 at 12:08 PM, Paul Wouters p...@nohats.ca wrote:
On Wed, 11 Sep 2013, Joe Abley wrote:
1. We only need to know the current time to an accuracy of 1 hour.
[RRSIG expiration times are specified with a granularity of a second,
right?
I appreciate that most people are
On Wed, 11 Sep 2013, Joe Abley wrote:
1. We only need to know the current time to an accuracy of 1 hour.
[RRSIG expiration times are specified with a granularity of a second, right?
I appreciate that most people are generous with signature inception and expiration times
in order to
On Wed, Sep 11, 2013 at 12:26 PM, Nicholas Weaver nwea...@icsi.berkeley.edu
wrote:
On Sep 11, 2013, at 9:18 AM, Phillip Hallam-Baker hal...@gmail.com
wrote:
The DNS is the naming infrastructure of the Internet. While it is in
theory possible to use the DNS to advertise very rapid changes
On Sep 11, 2013, at 12:38 PM, Phillip Hallam-Baker hal...@gmail.com wrote:
I disagree. DNSSEC is not just DNS: its the only available, deployed, and
(mostly) accessible global PKI currently in existence which also includes a
constrained path of trust which follows already established
On 2013-09-11, at 11:43, Phillip Hallam-Baker hal...@gmail.com wrote:
OK lets consider the trust requirements here.
1. We only need to know the current time to an accuracy of 1 hour.
[RRSIG expiration times are specified with a granularity of a second, right?
I appreciate that most people
On Wed, 11 Sep 2013, Olafur Gudmundsson wrote:
I think you can avoid that issue by having the device not pass traffic
until the DNSSEC validation is enabled. Only the device needs the special
permissive handling for this to work.
You mean only allow NTP and DNS traffic in the beginning, until
OK lets consider the trust requirements here.
1. We only need to know the current time to an accuracy of 1 hour.
2. The current time is a matter of convention rather than a natural
property. It is therefore impossible to determine the time without
reference to at least one trusted party.
2a) A
On 2013-09-10, at 17:59, Olafur Gudmundsson o...@ogud.com wrote:
[cc'ed to a more approriate IETF wg]
... and I'll gratuitously mention draft-jabley-dnsop-validator-bootstrap here
too, since it addresses exactly this topic.
Joe
___
DNSOP mailing
On 11/09/2013 09:59, Olafur Gudmundsson wrote:
...
My colleagues and I worked on OpenWrt routers to get Unbound to work there,
what you need to do is to start DNS up in non-validating mode
wait for NTP to fix time, then check if the link allows DNSSEC answers
through, at which point you can
On Tue, Sep 10, 2013 at 05:59:52PM -0400, Olafur Gudmundsson wrote:
My colleagues and I worked on OpenWrt routers to get Unbound to work
there, what you need to do is to start DNS up in non-validating mode wait
for NTP to fix time, then check if the link allows DNSSEC answers
through, at which
Olafur Gudmundsson wrote:
So how do you get the time after you power on the device? The usual
answer is use ntp. Except you can't do a DNS resolve when your
time is incorrect. You have a chicken and egg problem to
resolve/hack around :-(.
It is one reason why DNSSEC does not worth
[cc'ed to a more approriate IETF wg]
On Sep 10, 2013, at 11:55 AM, Jim Gettys j...@freedesktop.org wrote:
Ted T'so referred to a conversation we had last week. Let me give the
background.
Dave Taht has been doing an advanced version of OpenWrt for our bufferbloat
work (called CeroWrt
44 matches
Mail list logo