Re: [mif] New Charter Items - NTP in RA for DNSSEC

Margaret Wasserman <> Sun, 13 March 2016 11:54 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id 59D9812D5AA for <>; Sun, 13 Mar 2016 04:54:52 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -2.45
X-Spam-Status: No, score=-2.45 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_ENVFROM_END_DIGIT=0.25, FREEMAIL_FROM=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: (amavisd-new); dkim=pass (2048-bit key)
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id 1p4Xm4-iKiYn for <>; Sun, 13 Mar 2016 04:54:50 -0700 (PDT)
Received: from ( [IPv6:2607:f8b0:4002:c05::22c]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by (Postfix) with ESMTPS id 46E2112D5C0 for <>; Sun, 13 Mar 2016 04:54:50 -0700 (PDT)
Received: by with SMTP id g127so138324830ywf.2 for <>; Sun, 13 Mar 2016 04:54:50 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20120113; h=from:mime-version:subject:in-reply-to:date:cc:message-id:references :to; bh=fLJaDYK1NnnQPFxF8ZMKMFq+vUzjxB4FAj2y9Zv87Xc=; b=LdzJhjNehtYMK4iVTOFtgwn+zCVB8MbwrFkBqofvSiAJe+qsi7ka5RKXmUJt27HwqH 0sKCp+7ZDyWM0xC9WoavWhFNr3u+j7zIrNPgO0hG6IDJgCCBiKan9hDc28D0EC5JXyiv XFZ/JzoxxVixm5+RQBgybb3+bHP0UA7BdUMuW+nThFU8etPNTDiZ+1IIvND0BLCmXWUb gCzS2GdeFHYwdLolIxcjYmogS9P3Uu6KStHZrV1D4hJvSx04XE1Xjn/kvQ8SN2GSyXox iTpIfoNojmeqPK2A7Mqpt5TQ85BCD6O7QuGhqxXLF1A4j/vl08c82V6h5euXeUt1S9j0 XtMQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;; s=20130820; h=x-gm-message-state:from:mime-version:subject:in-reply-to:date:cc :message-id:references:to; bh=fLJaDYK1NnnQPFxF8ZMKMFq+vUzjxB4FAj2y9Zv87Xc=; b=QPv1TAON60An6Vld6jtgVYnaXx3WHr6otnIQdEyJlPQGFZGrtaSfczLc0QgOsA7eAT q5ETXWurc3bIh96Qpoz8fKa9n9z/iaJ/xgZxDNFIGOtNmh1KEQuvqhmnIPVjKKfV9n48 wR0sANS6ZIdqpl/NKQmUgayCyzAJJ/dmTFG2tXwm4E+Ylx9qbeqd+UNQsBDUOg6p+20p mupwlZJfOu69bmbFZi761pgg7cmUMXgfPWlTVu6PW4wjMzvi7tQFugxGzu/N4+tFqaZ0 RiaD/0UxtuFy0PNMkTVW9JN+fPatkZmZAjZiIn6GpwWHhbe1tNQWUTyGFpfKSRmiKoua Ab2g==
X-Gm-Message-State: AD7BkJIhN4y6ivzVboTt252PJbhvE/OLN6A0gde2vvEZz+TdL4JTE8lfNFXjSS3Y3Y0DVA==
X-Received: by with SMTP id o3mr10510684ywe.329.1457870089528; Sun, 13 Mar 2016 04:54:49 -0700 (PDT)
Received: from new-host.home ( []) by with ESMTPSA id q141sm11111273ywg.2.2016. (version=TLS1 cipher=ECDHE-RSA-AES128-SHA bits=128/128); Sun, 13 Mar 2016 04:54:47 -0700 (PDT)
From: Margaret Wasserman <>
X-Google-Original-From: Margaret Wasserman <>
Content-Type: multipart/signed; boundary="Apple-Mail=_4B5BCF87-F63E-49AB-B746-521D9F2D1FB6"; protocol="application/pgp-signature"; micalg=pgp-sha512
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
In-Reply-To: <>
Date: Sun, 13 Mar 2016 07:54:45 -0400
Message-Id: <>
References: <> <> <> <>
To: Markus Stenberg <>
X-Mailer: Apple Mail (2.1510)
Archived-At: <>
Subject: Re: [mif] New Charter Items - NTP in RA for DNSSEC
X-Mailman-Version: 2.1.17
Precedence: list
List-Id: Multiple Interface Discussion List <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Sun, 13 Mar 2016 11:54:52 -0000

On Mar 13, 2016, at 5:26 AM, Markus Stenberg <> wrote:
> NTP RA option would not really fix the solution securely anyway, as secure RA does not really happen. And secure NTP is also something that does not really happen. So there is chicken and egg problem there that is relatively far out of MIF scope I think.

Since we get our information on how to reach the DNS from RAs, getting our NTP information there isn't any less secure than getting our time information somewhere else, and then using to to reach the DNS we received in an RA, is it?

Having NTP information passed in an RA doesn't make RAs more secure, but it does change the threat model of a DNS lookup.  For regular DNS, the attacker only needs to spoof a DNS server (ours or one higher up in the tree), whereas to attack us in the case where we are getting an NTP server in an RA and using DNSSEC, the attacker also needs to be able to inject traffic on our local network that looks like it came form our router.  So, configuring an NTP Server via RAs and using DNSSEC is more secure than just using DNS, even if we can't/don't secure the mechanism via which our DNS and NTP Server are configured.

> IETF being IETF, we cannot specify insecure things these days officially but all base things are insecure and/or undeployed.

The spectre of the intractable security AD who blocks your work until you secure the entire Internet is just a holdover from a less reasonable time, IMO.  With the current ADs, you can generally specify something that is (1) more secure than the alternative, and/or (2) not less secure than what you are replacing.  It sometimes requires that you work with the ADs to help them understand that.

I am really quite sure that the security ADs would not block a new RA option because we didn't figure out how to get the world to deploy SEND.