Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping

[Michael Richardson <mcr@sandelman.ca>]

Aaron Wood <woody77@gmail.com> wrote:
    > Aaron Wood <woody77@gmail.com> writes:

    >> or we find a way to have long-lived dnssec entries.

    > Is the timing controllable somehow? I.e. would it be possible to set up
    > a special domain name with a really long-lived key that could be queried
    > indefinitely for the IP address of one or more NTP servers, even in the
    > face of an a wrong clock?

    > My understanding (albeit, not a deep one) is that the dnssec keys all have a
    > fairly short expiration, just a few months.  It would be nice if they were
    > longer-lived (in this particular case), but you still have an issue of

That's operationally true, but not baked into any protocol.

So, aside from caching cache.pool.ntp.org into /etc/hosts:

The ., org. keys are not going to grow multiple year expiries, so we need our
own thing to cache.  One could cache the DNSKEY for bufferbloat.net along
with the root zone keys... then lookup ntp.bufferbloat.net. It would have to
return a A/AAAA records, because chasing a CNAME into ntp.org would fail to
validate.

    > of the entry, for the resolution of ntp server names, and then you have to
    > somehow convey to the resolver that you want a secure lookup, but it's ok if
    > it's expired (or too new, or...), which gets back to some of the earlier parts
    > of this discussion.

Bingo.

--
]               Never tell me the odds!                 | ipv6 mesh networks [
]   Michael Richardson, Sandelman Software Works        | network architect  [
]     mcr@sandelman.ca  http://www.sandelman.ca/        |   ruby on rails    [