From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from bytemark.thekelleys.org.uk (bytemark.thekelleys.org.uk [IPv6:2001:41c8:51:46b:feff:ff:fe00:3310]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id B6EDE21F1D6 for ; Sat, 22 Mar 2014 12:43:13 -0700 (PDT) Received: from [213.205.228.19] (helo=[192.168.150.151]) by bytemark.thekelleys.org.uk with esmtpa (Exim 4.80) (envelope-from ) id 1WRRp1-0007WJ-0p; Sat, 22 Mar 2014 19:43:12 +0000 Message-ID: <532DE7A8.3010504@thekelleys.org.uk> Date: Sat, 22 Mar 2014 19:42:32 +0000 From: Simon Kelley User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: =?ISO-8859-1?Q?Toke_H=F8iland-J=F8rgensen?= References: <532DD9DD.8040301@thekelleys.org.uk> <871txut453.fsf@alrua-x1.karlstad.toke.dk> In-Reply-To: <871txut453.fsf@alrua-x1.karlstad.toke.dk> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Mar 2014 19:43:14 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 22/03/14 19:38, Toke Høiland-Jørgensen wrote: > Simon Kelley writes: > >> One possibility would be to store the current time in NVRAM. When >> the router comes up, that gives a lower bound on the current >> time, and would solve attacks using old keys. > > This is already implemented (basically it finds the most recently > modified file in /etc and sets the time to that; I think there's > also a script that periodically refreshes some file there), and > works to keep time during a reboot. However, when first flashing an > image, the time will be whatever time that image was created... > >> Less drastic would be to disable the key-time checks for this >> phase. Simplest would be a config flag: start it up with that >> flag whilst NTP does its stuff, them restart without when the >> clock is OK. Another option would be to disable the checks when >> the query arrives from a "magic" loopback address: maybe >> 127.110.116.112 (127.'n'.'t'.'p') > > The magic address would require the resolver and/or the ntp daemon > to be patched? What about a config option that adds a grace time? > Say enable dnssec after N seconds? That would be possible: it would require care to make it work in the face of the system time being warped by NTP. Best way may be to use times() rather than time() Cheers, Simon. > > -Toke > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMt56gACgkQKPyGmiibgrfafgCeJVIyxtGXLfkh/YaLkQ9QaTzM /Q4AoJiWKjwnwVlU+3v75asbK39cuImx =AJrb -----END PGP SIGNATURE-----