From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mx.spodhuis.org (smtp.spodhuis.org [IPv6:2a02:898:31:0:48:4558:736d:7470]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 5EED721F1EE for ; Mon, 24 Mar 2014 12:12:07 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=spodhuis.org; s=d201312; h=In-Reply-To:Content-Type:MIME-Version:References:Message-ID:Subject:Cc:To:From:Date; bh=nxXwU+7Nm85UIVAfw+whU47lees+2d8AqhfZRCyRM08=; b=Pk4w/95aFc8kWtoKVTglmAXo5BB4b3nyifmBXl1oQQvB2+wfOAc/2tAdyV9tQC/2gSD7VRO2qxrRTONq8foR8sSVVh8Go1mL4KXcaftxz0N8pgAzwMmS7Y/0EQ9PBEo3CX2Sex97LUjP6FBG871joiA+sacaDfaf/n9UK+mHpST/c4GP+AGRlt843ruH28WlobSTdWT8tgHgsojE; Received: from authenticated user by smtp.spodhuis.org with esmtpsa (TLSv1.2:ECDHE-RSA-AES256-GCM-SHA384:256) id 1WSAI0-000KOZ-MW; Mon, 24 Mar 2014 19:12:04 +0000 Date: Mon, 24 Mar 2014 15:12:03 -0400 From: Phil Pennock To: Joseph Swick Message-ID: <20140324191203.GA78098@redoubt.spodhuis.org> Mail-Followup-To: Joseph Swick , "cerowrt-devel@lists.bufferbloat.net" References: MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="dTy3Mrz/UPE2dbVg" Content-Disposition: inline In-Reply-To: OpenPGP: url=https://www.security.spodhuis.org/PGP/keys/0x3903637F.asc Cc: "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Mar 2014 19:12:07 -0000 --dTy3Mrz/UPE2dbVg Content-Type: multipart/mixed; boundary="IS0zKkzwUGydFO0o" Content-Disposition: inline --IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline On 2014-03-21 at 23:33 -0400, Joseph Swick wrote: > I've been lurking for several months now on the list and I remember some > discussion about trying to find acceptable methods for bootstrapping the > local system time so that DNSSEC would work. I raised this on the ntp-pool mailing-lists last year, looking for a solution because of the chicken/egg bootstrap, with suggested approaches and some trial scripts. Eg: http://lists.ntp.org/pipermail/pool/2013-July/006569.html For context, I'm currently running OpenWRT; attached is the /etc/init.d/ntpdate which I'm using. It relies upon having Python and dig installed, as I haven't gotten around to building a small C utility to do just this task, but perhaps the approach is useful enough that someone else might do so? In summary: if the current time is less than the timestamp on the unbound-maintained copy of the root zone trust anchors, then bump the time up at least that far, because we must be at >= that timestamp, and this increases the odds that DNSSEC will validate if we haven't been off-line for too long. Then, for each hostname in the $STEP_SERVERS list (which could be taken from ntp.conf or uci config or whatever, but here is just hardcoded), I try to resolve IPv4 then IPv6, first with DNSSEC left enabled, and then with DNSSEC disabled via `dig +cd`. The first dig command to return results is the one which is used. The idea is to minimize the potential vulnerability of syncing to a bad timesource, by using DNSSEC if it's available and works, after making sure it has a reasonable chance of working if we've just rebooted, and only if we've been off-line for some time do we fall back to insecure DNS. Make sure that the START value is appropriate for your systems; I've found the OpenWRT defaults to be sufficiently broken that I stomp on them on reinstall. I run ntpdate once the network and firewall are up, but just before ntpd and both of those well before other network services which might depend upon time. Regards, -Phil --IS0zKkzwUGydFO0o Content-Type: text/plain; charset=us-ascii Content-Disposition: inline; filename=ntpdate-router-initscript #!/bin/sh /etc/rc.common # Copyright (C) 2006-2008 OpenWrt.org # Copyright (C) 2013 Phil Pennock START=60 STEP_SERVERS="0.openwrt.pool.ntp.org 1.openwrt.pool.ntp.org 2.openwrt.pool.ntp.org" TIMEOUT="2" # in seconds PRESEED_TIMESTAMP_FN="/etc/unbound/runtime/root.autokey" # The core problem is that with DNSSEC, an invalid time prevents resolution # of DNS, but we need DNS to be able to find time-servers to get a good time # to be able to resolve DNS. # # We break out of this "Catch 22" situation by _trying_ normal DNS resolution, # IPv4 and then IPv6, and only if those fail do we forcibly disable DNSSEC # by using dig(1)'s +cd flag ("checking disabled"); trying normally first # protects us against malicious DNS trying to point us to bad time-servers, # if we've enough state that we _should_ already be protected. # # The "insecure" approach we regress to, as a last resort, is the same way # the Internet functioned for decades. There is a DoS+hijack attack path # here, but if we don't have a good battery-backed clock to protect us, we # don't have a better solution. # Also, per a suggestion from Doug Calvert, we can use the timestamp of # modification of the unbound root.key file itself as an approximate time. # Unbound updates the file on every refresh, so it's not too far off. preseed_approximate_time() { # Unfortunately, date(1) on OpenWRT can't parse the timestamp # output from ls. python -c ' import os, time, sys fn=sys.argv[1] min_time=os.stat(fn).st_ctime if time.time() < min_time: want=time.strftime("%Y%m%d%H%M.%S", time.gmtime(min_time)) os.system("date -u -s %s" % want)' "$PRESEED_TIMESTAMP_FN" > /dev/null } resolve_hostname_v4() { # we use the grep both to filter out cname referrals and to detect empty # results local hn="$1" shift dig +nodnssec +short "$@" -t a "$hn" | grep '^[0-9][0-9.]*$' } resolve_hostname_v6() { local hn="$1" shift dig +nodnssec +short "$@" -t aaaa "$hn" | grep -i '^[0-9a-f][0-9a-f.:]*$' } resolve_one_server() { local hn="$1" resolve_hostname_v4 $hn && return resolve_hostname_v6 $hn && return resolve_hostname_v4 $hn +cd && return resolve_hostname_v6 $hn +cd && return } resolve_step_servers() { local server ips for server in $STEP_SERVERS ; do resolve_one_server $server done } start() { preseed_approximate_time for s in $(resolve_step_servers) ; do /usr/sbin/ntpdate -s -b -u -t "$TIMEOUT" "$s" && break done } --IS0zKkzwUGydFO0o-- --dTy3Mrz/UPE2dbVg Content-Type: application/pgp-signature -----BEGIN PGP SIGNATURE----- iQEcBAEBCAAGBQJTMIN7AAoJEKBsj+IM0duFoPEIAJrPQDlVjk5EO47kbFGfg9d+ 8SnliK/Yo35Lc/SGuWAWVHAzVbMFN1oMb+KKXBB2VUFF0HWvrxwJ8VP/G4jo8rVa +KKT+hyRknWf56Tx6wm0FZ112uf2M+JSytLwjhkqqmpXhsNAwmwMsRR9WB9ApTWb 7Xh8GcIqbf72t+f1KAnASsAberEBJm2DAX2n2agXYy4d0JQ2ketzA5jwqSzrMiI6 2aL3fHiBHVyO1uPJjWemTh4cjVjsgZK7pBu46uST/gn61GgQs/5d0aGmibD359Jt 9J0dE6qdfQmCaODJjUHVpAAes82i/JfGRafWRJguE3mwWVEYIigqi9ZhJGZotUg= =/Usn -----END PGP SIGNATURE----- --dTy3Mrz/UPE2dbVg--