[dns-operations] Allowance for inaccurate clocks

Jim Reid jim at rfc1035.com
Wed Mar 16 12:23:58 UTC 2011

On 16 Mar 2011, at 10:42, George Barwood wrote:

> When checking signature inception/expiration fields in DNSSEC,  
> should a validator
> make an allowance for small inaccuracies in clocks?

No. Unless of course the inaccuracies are smaller than 1 second: the  
granularity of the timestamps in RRSIGs. This should not be an issue  
as almost everything useful runs NTP. DNS stuff doing DNSSEC certainly  

An RRSIG defines in absolute time the period that it is valid for.  
It's the signer's problem to make sure these timestamps are aligned  
with UTC. Similarly, it's the validator's responsibility to make sure  
its clock is aligned with UTC. All bets are off if neither party does  
this or chooses to ignore RFC4034.

Section 3.1.5 of that RFC could hardly be any clearer: The Signature  
Expiration and Inception field values specify a date and time in the  
form of a 32-bit unsigned number of seconds elapsed since 1 January  
1970 00:00:00 UTC, ignoring leap seconds. Perhaps it was so obvious  
that the signer and validator would have properly synchronised clocks  
that it wasn't needed to document that.

And yes, I know TSIG and SIG(0) have wiggle room in their timestamps.  
They're meant to prevent/detect replay attacks rather than "pure"  
authentication or validation.

More information about the dns-operations mailing list