IETF Logo Mail Archive

Re: Practical issues deploying DNSSEC into the home.

Tony Finch <dot@dotat.at> Tue, 10 September 2013 17:36 UTC

Return-Path: <fanf2@hermes.cam.ac.uk>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8CDCD21E8127 for <ietf@ietfa.amsl.com>; Tue, 10 Sep 2013 10:36:38 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.599
X-Spam-Level:
X-Spam-Status: No, score=-2.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id VfLu+JOMHiiF for <ietf@ietfa.amsl.com>; Tue, 10 Sep 2013 10:36:37 -0700 (PDT)
Received: from ppsw-33.csi.cam.ac.uk (ppsw-33.csi.cam.ac.uk [IPv6:2001:630:212:8::e:f33]) by ietfa.amsl.com (Postfix) with ESMTP id 48FB721E8092 for <ietf@ietf.org>; Tue, 10 Sep 2013 10:36:36 -0700 (PDT)
X-Cam-AntiVirus: no malware found
X-Cam-ScannerInfo: http://www.cam.ac.uk/cs/email/scanner/
Received: from hermes-2.csi.cam.ac.uk ([131.111.8.54]:58107) by ppsw-33.csi.cam.ac.uk (smtp.hermes.cam.ac.uk [131.111.8.157]:25) with esmtpa (EXTERNAL:fanf2) id 1VJRrc-0000R0-g3 (Exim 4.80_167-5a66dd3) (return-path <fanf2@hermes.cam.ac.uk>); Tue, 10 Sep 2013 18:36:32 +0100
Received: from fanf2 by hermes-2.csi.cam.ac.uk (hermes.cam.ac.uk) with local id 1VJRrb-0007S2-W5 (Exim 4.72) (return-path <fanf2@hermes.cam.ac.uk>); Tue, 10 Sep 2013 18:36:32 +0100
Date: Tue, 10 Sep 2013 18:36:31 +0100
From: Tony Finch <dot@dotat.at>
X-X-Sender: fanf2@hermes-2.csi.cam.ac.uk
To: Paul Wouters <paul@cypherpunks.ca>
Subject: Re: Practical issues deploying DNSSEC into the home.
In-Reply-To: <alpine.LFD.2.10.1309101205120.4683@bofh.nohats.ca>
Message-ID: <alpine.LSU.2.00.1309101831460.25110@hermes-2.csi.cam.ac.uk>
References: <CAGhGL2APj-XfuMUHgLsELnZRbRNCLrjMBxFBtcg4zx+5SG7Bag@mail.gmail.com> <alpine.LFD.2.10.1309101205120.4683@bofh.nohats.ca>
User-Agent: Alpine 2.00 (LSU 1167 2008-08-23)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
Sender: Tony Finch <fanf2@hermes.cam.ac.uk>
Cc: dns-security@lists.tislabs.com, ietf@ietf.org
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 10 Sep 2013 17:36:38 -0000

Paul Wouters <paul@cypherpunks.ca> wrote:
>
> One solution is "tlsdate" which uses the installed bundled CA (or comes
> with its own) and runs TLS against a bunch of well known large sites
> (using insecure DNS) and sets the time based on the TLS handshakes.

I believe tlsdate currently only gets the time from one server. It would
be nice if it could determine the time based on agreement of a quorum of
diverse servers, so that no single source of time needs to be trusted. (I
have talked about this with Jacob Appelbaum but I haven't had time to do
anything about it.)

Tony.
-- 
f.anthony.n.finch  <dot@dotat.at>  http://dotat.at/
Forties, Cromarty: East, veering southeast, 4 or 5, occasionally 6 at first.
Rough, becoming slight or moderate. Showers, rain at first. Moderate or good,
occasionally poor at first.

v2.23.0 | Report a Bug | By Email