Re: [ntpwg] [dhcwg] DNSSEC in names vs. numbers for NTP server information in DHCP
"TS Glassey" <tglassey@earthlink.net> Thu, 29 November 2007 16:06 UTC
Return-path: <dhcwg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ixluk-0001sW-SN; Thu, 29 Nov 2007 11:06:58 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1Ixluk-0001p7-7K for dhcwg@ietf.org; Thu, 29 Nov 2007 11:06:58 -0500
Received: from elasmtp-curtail.atl.sa.earthlink.net ([209.86.89.64]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1Ixlui-00072y-Bv for dhcwg@ietf.org; Thu, 29 Nov 2007 11:06:58 -0500
DomainKey-Signature: a=rsa-sha1; q=dns; c=nofws; s=dk20050327; d=earthlink.net; b=A4o57OpyUSuAujYfA0p2DP30vRkIlpNjupqN161zCiS2yDj56dMo/OD6dhkmA8IH; h=Received:Message-ID:From:To:Cc:References:Subject:Date:MIME-Version:Content-Type:Content-Transfer-Encoding:X-Priority:X-MSMail-Priority:X-Mailer:X-MimeOLE:X-ELNK-Trace:X-Originating-IP;
Received: from [24.23.176.93] (helo=tsg1) by elasmtp-curtail.atl.sa.earthlink.net with asmtp (Exim 4.34) id 1IxluQ-0007qo-IW; Thu, 29 Nov 2007 11:06:38 -0500
Message-ID: <003401c832a1$d2bc2c10$6501a8c0@tsg1>
From: TS Glassey <tglassey@earthlink.net>
To: Masataka Ohta <mohta@necom830.hpcl.titech.ac.jp>, shane_kerr@isc.org
References: <474CB98F.7050603@isc.org> <474CBDD3.6060908@necom830.hpcl.titech.ac.jp>
Subject: Re: [ntpwg] [dhcwg] DNSSEC in names vs. numbers for NTP server information in DHCP
Date: Thu, 29 Nov 2007 08:06:22 -0800
MIME-Version: 1.0
Content-Type: text/plain; format="flowed"; charset="iso-8859-1"; reply-type="original"
Content-Transfer-Encoding: 7bit
X-Priority: 3
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook Express 6.00.2900.3138
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3138
X-ELNK-Trace: 01b7a7e171bdf5911aa676d7e74259b7b3291a7d08dfec79c57d546b97c38ccacaa582bc764b67f4350badd9bab72f9c350badd9bab72f9c350badd9bab72f9c
X-Originating-IP: 24.23.176.93
X-Spam-Score: 0.0 (/)
X-Scan-Signature: f607d15ccc2bc4eaf3ade8ffa8af02a0
Cc: ntpwg@lists.ntp.org, dhcwg@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Errors-To: dhcwg-bounces@ietf.org
Ohta-san, ----- Original Message ----- From: "Masataka Ohta" <mohta@necom830.hpcl.titech.ac.jp> To: <shane_kerr@isc.org> Cc: <ntpwg@lists.ntp.org>; <dhcwg@ietf.org> Sent: Tuesday, November 27, 2007 5:01 PM Subject: Re: [ntpwg] [dhcwg] DNSSEC in names vs. numbers for NTP server information in DHCP > Shane Kerr wrote: > >> It occurs to me that DNSSEC requires accurate time. > > DNSSEC requires *SECURE* accurate time. yes. > >> It seems like we have to provide IP addresses for NTP servers for this >> reason. Not necessarily, but rather a secured timesetting event which operated inside the DHCP process context. > > It is required that DHCP clients and NTP servers allocated by DHCP > *SECURELY* share some information for the DHCP clients authenticate > the NTP servers. meaning that the DHCP Server itself should also double as the NTP Server for its client only. That is the best solution possible with the way DHCP works now. > > It, in practice, means shared authentication information must be hand > configured in the DHCP clients and associated NTP servers, which > means there is no need for DHCP service provide NTP server for secure > DNS. yes it would. The idea that the DHCP server also double for setting the time of day of the requesting DHCP client is a good idea too. > > Masataka Ohta > > PS > > Still, secure DNS is only weakly secure , that is, as secure as > plain DNS that there is no reason to deploy it. That is, just as > plain DNS is vulnerable to compromised intermediate entities such > as ISPs or zone admins, secure DNS is vulnerable to compromised > intermediate entities of zone admins or NTP servers. > > _______________________________________________ > ntpwg mailing list > ntpwg@lists.ntp.org > https://lists.ntp.org/mailman/listinfo/ntpwg _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] DNSSEC in names vs. numbers for NTP serve… Shane Kerr
- [dhcwg] Re: [ntpwg] DNSSEC in names vs. numbers f… Harlan Stenn
- Re: [dhcwg] DNSSEC in names vs. numbers for NTP s… Masataka Ohta
- Re: [dhcwg] DNSSEC in names vs. numbers for NTP s… Danny Mayer
- Re: [dhcwg] DNSSEC in names vs. numbers for NTP s… David W. Hankins
- [dhcwg] Re: [ntpwg] DNSSEC in names vs. numbers f… David L. Mills
- Re: [ntpwg] [dhcwg] DNSSEC in names vs. numbers f… TS Glassey
- Re: [ntpwg] [dhcwg] DNSSEC in names vs. numbers f… TS Glassey