From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from tuna.sandelman.ca (tuna.sandelman.ca [IPv6:2607:f0b0:f:3:216:3eff:fe7c:d1f3]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 2046F21F233 for ; Sun, 23 Mar 2014 15:41:59 -0700 (PDT) Received: from sandelman.ca (obiwan.sandelman.ca [IPv6:2607:f0b0:f:2::247]) by tuna.sandelman.ca (Postfix) with ESMTP id 404E520049; Sun, 23 Mar 2014 20:01:35 -0400 (EDT) Received: by sandelman.ca (Postfix, from userid 179) id 946BF63AB2; Sun, 23 Mar 2014 18:41:56 -0400 (EDT) Received: from sandelman.ca (localhost [127.0.0.1]) by sandelman.ca (Postfix) with ESMTP id 851FC63AA2; Sun, 23 Mar 2014 18:41:56 -0400 (EDT) From: Michael Richardson To: Aaron Wood In-Reply-To: References: <8738i9rwrx.fsf@alrua-x1.karlstad.toke.dk> X-Mailer: MH-E 8.2; nmh 1.3-dev; GNU Emacs 23.4.1 X-Face: $\n1pF)h^`}$H>Hk{L"x@)JS7<%Az}5RyS@k9X%29-lHB$Ti.V>2bi.~ehC0; <'$9xN5Ub# z!G,p`nR&p7Fz@^UXIn156S8.~^@MJ*mMsD7=QFeq%AL4m Sender: mcr@sandelman.ca Cc: "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 23 Mar 2014 22:41:59 -0000 Aaron Wood wrote: > Aaron Wood writes: >> or we find a way to have long-lived dnssec entries. > Is the timing controllable somehow? I.e. would it be possible to set = up > a special domain name with a really long-lived key that could be quer= ied > indefinitely for the IP address of one or more NTP servers, even in t= he > face of an a wrong clock? > My understanding (albeit, not a deep one) is that the dnssec keys all= have a > fairly short expiration, just a few months. =C2=A0It would be nice if= they were > longer-lived (in this particular case), but you still have an issue of That's operationally true, but not baked into any protocol. So, aside from caching cache.pool.ntp.org into /etc/hosts: The ., org. keys are not going to grow multiple year expiries, so we need o= ur own thing to cache. One could cache the DNSKEY for bufferbloat.net along with the root zone keys... then lookup ntp.bufferbloat.net. It would have to return a A/AAAA records, because chasing a CNAME into ntp.org would fail to validate. > of the entry, for the resolution of ntp server names, and then you ha= ve to > somehow convey to the resolver that you want a secure lookup, but it'= s ok if > it's expired (or too new, or...), which gets back to some of the earl= ier parts > of this discussion. Bingo. -- ] Never tell me the odds! | ipv6 mesh network= s [ ] Michael Richardson, Sandelman Software Works | network architect= [ ] mcr@sandelman.ca http://www.sandelman.ca/ | ruby on rails = [