Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping

[Simon Kelley <simon@thekelleys.org.uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 22/03/14 19:38, Toke Høiland-Jørgensen wrote:
> Simon Kelley <simon@thekelleys.org.uk> writes:
> 
>> One possibility would be to store the current time in NVRAM. When
>> the router comes up, that gives a lower bound on the current
>> time, and would solve attacks using old keys.
> 
> This is already implemented (basically it finds the most recently 
> modified file in /etc and sets the time to that; I think there's
> also a script that periodically refreshes some file there), and
> works to keep time during a reboot. However, when first flashing an
> image, the time will be whatever time that image was created...
> 
>> Less drastic would be to disable the key-time checks for this
>> phase. Simplest would be a config flag: start it up with that
>> flag whilst NTP does its stuff, them restart without when the
>> clock is OK. Another option would be to disable the checks when
>> the query arrives from a "magic" loopback address: maybe
>> 127.110.116.112 (127.'n'.'t'.'p')
> 
> The magic address would require the resolver and/or the ntp daemon
> to be patched? What about a config option that adds a grace time?
> Say enable dnssec after N seconds?

That would be possible: it would require care to make it work in the
face of the system time being warped by NTP. Best way may  be to use
times() rather than time()

Cheers,

Simon.

> 
> -Toke
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlMt56gACgkQKPyGmiibgrfafgCeJVIyxtGXLfkh/YaLkQ9QaTzM
/Q4AoJiWKjwnwVlU+3v75asbK39cuImx
=AJrb
-----END PGP SIGNATURE-----