[dns-operations] Allowance for inaccurate clocks

Joe Abley jabley at hopcount.ca
Wed Mar 16 13:28:51 UTC 2011

On 2011-03-16, at 08:23, Jim Reid wrote:

> On 16 Mar 2011, at 10:42, George Barwood wrote:
>> When checking signature inception/expiration fields in DNSSEC, should a validator
>> make an allowance for small inaccuracies in clocks?
> No. Unless of course the inaccuracies are smaller than 1 second: the granularity of the timestamps in RRSIGs. This should not be an issue as almost everything useful runs NTP. DNS stuff doing DNSSEC certainly should.

This is the biggest headache for end-user operating systems and home gateway embedded systems, I think -- both have been identified as being desirable places for validation, and I suspect neither class of devices runs NTP universally (or reliably universally) today. There's also a lot of them.


More information about the dns-operations mailing list