[ntpwg] [dhcwg] DNSSEC in names vs. numbers for NTP server information in DHCP
TS Glassey
tglassey at earthlink.net
Thu Nov 29 16:06:22 GMT 2007
Ohta-san,
----- Original Message -----
From: "Masataka Ohta" <mohta at necom830.hpcl.titech.ac.jp>
To: <shane_kerr at isc.org>
Cc: <ntpwg at lists.ntp.org>; <dhcwg at ietf.org>
Sent: Tuesday, November 27, 2007 5:01 PM
Subject: Re: [ntpwg] [dhcwg] DNSSEC in names vs. numbers for NTP server
information in DHCP
> Shane Kerr wrote:
>
>> It occurs to me that DNSSEC requires accurate time.
>
> DNSSEC requires *SECURE* accurate time.
yes.
>
>> It seems like we have to provide IP addresses for NTP servers for this
>> reason.
Not necessarily, but rather a secured timesetting event which operated
inside the DHCP process context.
>
> It is required that DHCP clients and NTP servers allocated by DHCP
> *SECURELY* share some information for the DHCP clients authenticate
> the NTP servers.
meaning that the DHCP Server itself should also double as the NTP Server for
its client only. That is the best solution possible with the way DHCP works
now.
>
> It, in practice, means shared authentication information must be hand
> configured in the DHCP clients and associated NTP servers, which
> means there is no need for DHCP service provide NTP server for secure
> DNS.
yes it would. The idea that the DHCP server also double for setting the time
of day of the requesting DHCP client is a good idea too.
>
> Masataka Ohta
>
> PS
>
> Still, secure DNS is only weakly secure , that is, as secure as
> plain DNS that there is no reason to deploy it. That is, just as
> plain DNS is vulnerable to compromised intermediate entities such
> as ISPs or zone admins, secure DNS is vulnerable to compromised
> intermediate entities of zone admins or NTP servers.
>
> _______________________________________________
> ntpwg mailing list
> ntpwg at lists.ntp.org
> https://lists.ntp.org/mailman/listinfo/ntpwg
More information about the ntpwg
mailing list