From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mcr@sandelman.ca>
Received: from relay.sandelman.ca (relay.cooperix.net [67.23.6.41])
	by huchra.bufferbloat.net (Postfix) with ESMTP id AD2B0202295
	for <cerowrt-devel@lists.bufferbloat.net>;
	Thu, 23 Aug 2012 08:30:07 -0700 (PDT)
Received: from sandelman.ca (24-139-16-154.eastlink.ca [24.139.16.154])
	by relay.sandelman.ca (Postfix) with ESMTPS id 2FA498659
	for <cerowrt-devel@lists.bufferbloat.net>;
	Thu, 23 Aug 2012 11:24:56 -0400 (EDT)
Received: from sandelman.ca (quigon.sandelman.ca [127.0.0.1])
	by sandelman.ca (Postfix) with ESMTP id 057D6CA0C3
	for <cerowrt-devel@lists.bufferbloat.net>;
	Tue, 21 Aug 2012 21:21:29 -0400 (EDT)
From: Michael Richardson <mcr@sandelman.ca>
To: cerowrt-devel@lists.bufferbloat.net
In-reply-to: <CAMZR1YBzTWfj-LBDY5qXu8UYj9gkix+z5MqaS0D3uuHdbNSp6w@mail.gmail.com>
References: <CAA93jw50MeqWH6TVKditFGfg-V-mOi-UUtsABqd+WHs2vedHQw@mail.gmail.com>
	<502E064C.50305@etorok.net>
	<CAA93jw6JGFb9Eqh9tTdy2DY6fsNDDKpq391JQqirezoU4aJCSQ@mail.gmail.com>
	<502E9609.5040800@etorok.net>
	<CAA93jw4-Arc7U+ZCMpuYY1HsqucwQ-jHFMc6iwDRk_fp+8xWPQ@mail.gmail.com>
	<9246.1345321014@sandelman.ca>
	<alpine.DEB.2.02.1208201315540.23568@asgard.lang.hm>
	<CAC938DiarPg3OHOtPO1T8+LeG_jux526btzT1MGoBT4VKhSmgA@mail.gmail.com>
	<19070.1345504767@sandelman.ca>
	<CAMZR1YBzTWfj-LBDY5qXu8UYj9gkix+z5MqaS0D3uuHdbNSp6w@mail.gmail.com>
Comments: In-reply-to Maciej Soltysiak <maciej@soltysiak.com>
	message dated "Wed, 22 Aug 2012 00:03:42 +0200."
X-Mailer: MH-E 8.3; nmh 1.3; XEmacs 21.4 (patch 22)
Date: Tue, 21 Aug 2012 21:21:29 -0400
Message-ID: <26683.1345598489@sandelman.ca>
Sender: mcr@sandelman.ca
Subject: Re: [Cerowrt-devel] cerowrt 3.3.8-17: nice latency improvements,
	some issues with bind
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Thu, 23 Aug 2012 15:30:08 -0000


>>>>> "Maciej" == Maciej Soltysiak <maciej@soltysiak.com> writes:
    >> Good idea, but you need DNS to find that server, and you need
    >> time to do DNSSEC.

    Maciej> How about this:
    Maciej> 1) do a 1 time `host time.nist.gov 8.8.8.8` and feed that to NTP config file
    Maciej> 2) make NTP get time from the IP of time.nist.gov resolved from step 1
    Maciej> 3) start bind with dnssec

Sure, you could do this.

There is no significant security advantage of doing this, vs starting
bind with DNSSEC time validation disabled.  A malicious attacker who
wants to attack you also controls the answer that 8.8.8.8 returns, and 
also controls the NTP answer on port 123.  Bad guys owns your uplink.
It's as easy as plugging a *WRT box in front of yours, or any place
upstream. (if you are paranoid, you are paranoid)

Or turn off DNSSEC validation until you have some notion of time.
That way, you wouldn't claim to have done validation.


-- 
Michael Richardson
-at the cottage-