DNSSEC validation without current time

Dave Warren dw at thedave.ca
Mon Dec 18 06:07:41 UTC 2017

On 2017-12-15 06:23, Petr Menšík wrote:
> Dne 15.12.2017 v 13:06 G.W. Haywood via bind-users napsal(a):
>> Hi there,
>> On Fri, 15 Dec 2017, Petr Men??k wrote:
>>> ... current time is not available or can be inaccurate.
>> ntpdate?
> Sure, of course. What would be default host after installation, that can
> be used in default installation image without manual configuration? And
> how does it resolve that name, when date of the system is 1970-1-1 or
> something a only a bit more accurate?
> Current pool.ntp.org adresses are unsigned now, so that would work
> anyway. If I want spoof protection, what should I do?

Do two passes. First: Use DNS without DNSSEC validation to obtain a list 
of NTP servers, and thereby determine the current time. Second: Use DNS 
with DNSSEC to obtain a list of (trusted) NTP servers, and verify the time.

The second pass might detect the list of IPs has changed and bypass the 
second NTP pass as we now know the previous IPs were valid, but you must 
be prepared for DNS to return different IPs from a pool and to therefore 
re-verify the time -- We don't care if the IP list has changed, only 
that the time is valid.

The only real challenge is to avoid letting anything else trust the time 
received in phase 1 until it has been validated by phase 2.

More information about the bind-users mailing list