IETF Logo Mail Archive

Re: Practical issues deploying DNSSEC into the home.

Russ Housley <housley@vigilsec.com> Tue, 10 September 2013 20:52 UTC

Return-Path: <housley@vigilsec.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5C3E021E80B3 for <ietf@ietfa.amsl.com>; Tue, 10 Sep 2013 13:52:17 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -102.298
X-Spam-Level:
X-Spam-Status: No, score=-102.298 tagged_above=-999 required=5 tests=[AWL=0.300, BAYES_00=-2.599, HTML_MESSAGE=0.001, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id U2vjgjswbG8f for <ietf@ietfa.amsl.com>; Tue, 10 Sep 2013 13:52:10 -0700 (PDT)
Received: from odin.smetech.net (mail.smetech.net [208.254.26.82]) by ietfa.amsl.com (Postfix) with ESMTP id 2040421F9A71 for <ietf@ietf.org>; Tue, 10 Sep 2013 13:52:10 -0700 (PDT)
Received: from localhost (unknown [208.254.26.81]) by odin.smetech.net (Postfix) with ESMTP id 21C22F24222; Tue, 10 Sep 2013 16:53:00 -0400 (EDT)
X-Virus-Scanned: amavisd-new at smetech.net
Received: from odin.smetech.net ([208.254.26.82]) by localhost (ronin.smetech.net [208.254.26.81]) (amavisd-new, port 10024) with ESMTP id ckKj3PNFFayQ; Tue, 10 Sep 2013 16:51:55 -0400 (EDT)
Received: from [192.168.2.100] (pool-96-255-37-18.washdc.fios.verizon.net [96.255.37.18]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (No client certificate requested) by odin.smetech.net (Postfix) with ESMTP id 2D141F24221; Tue, 10 Sep 2013 16:52:57 -0400 (EDT)
Subject: Re: Practical issues deploying DNSSEC into the home.
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: multipart/alternative; boundary="Apple-Mail-37--1040316871"
From: Russ Housley <housley@vigilsec.com>
In-Reply-To: <CAGhGL2APj-XfuMUHgLsELnZRbRNCLrjMBxFBtcg4zx+5SG7Bag@mail.gmail.com>
Date: Tue, 10 Sep 2013 16:52:05 -0400
Message-Id: <443BBE5E-B412-4BDC-A5CA-913C203979E0@vigilsec.com>
References: <CAGhGL2APj-XfuMUHgLsELnZRbRNCLrjMBxFBtcg4zx+5SG7Bag@mail.gmail.com>
To: Jim Gettys <jg@freedesktop.org>
X-Mailer: Apple Mail (2.1085)
Cc: ietf@ietf.org, dns-security@lists.tislabs.com
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 20:52:43 -0000

Jim:

> 1) DNSSEC needs to have the time within one hour.  But these devices do not have TOY clocks (and arguably, never will, nor even probably should ever have them).  
> 
> So how do you get the time after you power on the device?  The usual answer is "use ntp".  Except you can't do a DNS resolve when your time is incorrect.  You have a chicken and egg problem to resolve/hack around :-(.
> 
> Securely bootstrapping time in the Internet is something I believe needs doing....  and being able to do so over wireless links, not just relying on wired links.

NTP can be used to get time from an IP address.  I understand all of the reasons why a DNS name is preferred, but this a bootstrapping problem.

RFC 5906 offers a way for NTP responses to be authenticated.  So, if the IP address points to a NTP server that will give back a signed response, then the solution seems pretty straightforward.

Of course, the vendor will need to make sure that one or more NTP servers are available, and make sure that the public keys are in place to validate the signed NTP responses.  Over time these could change, but that could be handled by firmware updates.  Many installation procedures include fetching the latest firmware, but DNS and routing need to be working for that to work in this bootstrap environment.  Hopefully the firmware is authenticated too.  RFC 4108 offers one approach to solving that problem.

Russ

v2.29.0 | Report a Bug | By Email | System Status