[dns-operations] Allowance for inaccurate clocks
Jim Reid
jim at rfc1035.com
Wed Mar 16 12:23:58 UTC 2011
On 16 Mar 2011, at 10:42, George Barwood wrote:
> When checking signature inception/expiration fields in DNSSEC,
> should a validator
> make an allowance for small inaccuracies in clocks?
No. Unless of course the inaccuracies are smaller than 1 second: the
granularity of the timestamps in RRSIGs. This should not be an issue
as almost everything useful runs NTP. DNS stuff doing DNSSEC certainly
should.
An RRSIG defines in absolute time the period that it is valid for.
It's the signer's problem to make sure these timestamps are aligned
with UTC. Similarly, it's the validator's responsibility to make sure
its clock is aligned with UTC. All bets are off if neither party does
this or chooses to ignore RFC4034.
Section 3.1.5 of that RFC could hardly be any clearer: The Signature
Expiration and Inception field values specify a date and time in the
form of a 32-bit unsigned number of seconds elapsed since 1 January
1970 00:00:00 UTC, ignoring leap seconds. Perhaps it was so obvious
that the signer and validator would have properly synchronised clocks
that it wasn't needed to document that.
And yes, I know TSIG and SIG(0) have wiggle room in their timestamps.
They're meant to prevent/detect replay attacks rather than "pure"
authentication or validation.
More information about the dns-operations
mailing list