Sad Clouds <cryintothebluesky%gmail.com@localhost> writes: >> Is it reasonable/feasible to have unbound lighten up on the tight time >> requirement? > > You can make adjustments in unbound.conf > > val-sig-skew-min: <seconds> > val-sig-skew-max: <seconds> > > but what exactly is a reasonable time skew? Ideally you'd want to keep > it as small as possible, otherwise you open yourself to replay attacks, > etc. It's not just unbound, I think any DNS resolver implementing > DNSSEC would have such limits. I think reasonable is in the eye of the beholder, balancing the security goodness from tight replay protection and the pain of trouble when the clock is wrong. It seems fairly clear that 1 day is not a good choice for systems that don't have reliable clocks. Arguably, for systems that want this replay protection in DNSSEC, they need to not allow ntpdate or large steps, because those are based on unauthenticated data. So perhaps unbound should default to what it does now, normally, and to 30 days if the system reports (via the sysctl I proposed) that there is no TOD clock. I wonder what anyone's plan is for configuring authentication on NTP by default? (that's really hard)
Attachment:
signature.asc
Description: PGP signature