From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <robert.bradley1@gmail.com>
Received: from mail-wi0-x22c.google.com (mail-wi0-x22c.google.com
	[IPv6:2a00:1450:400c:c05::22c])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(Client CN "smtp.gmail.com",
	Issuer "Google Internet Authority G2" (verified OK))
	by huchra.bufferbloat.net (Postfix) with ESMTPS id 745FA21F0B0
	for <cerowrt-devel@lists.bufferbloat.net>;
	Mon, 31 Mar 2014 10:26:33 -0700 (PDT)
Received: by mail-wi0-f172.google.com with SMTP id hi2so2302061wib.5
	for <cerowrt-devel@lists.bufferbloat.net>;
	Mon, 31 Mar 2014 10:26:31 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=message-id:date:from:user-agent:mime-version:to:subject:references
	:in-reply-to:content-type;
	bh=MjfqPlym1Iwyp+XW0hCC9kgWOmSrOss32ff8JHNu1lE=;
	b=qQuY3MnTZuJ6JPIAVD++jRu1BnFpv7DQdugur8SMLe8qKPyaOkQwScnlYylBe3E2r7
	w3iHfuc2F77zfRtD866DwU6RZwpIGZKDhlChuogKO5pJjd6nEFCEN4u3Qt/m6r027de/
	k5R/EJJM7d6YEg6or/ej7zH8McqR0bqsYBRKaJ4QOzF4t9l24NqRcHxYCn3I5AoKuBbt
	F9/oQaDOVwT+f3B2qBoRL77+6OyHat+RjF84uAngrQqmVELgIMG6tz+xwTC2tjHP4/c7
	SCV5fxol4RylzxneE9k6rM7000Yit8z8s/3WiKJzqh5nHN33GOaJ2yYW8UiHBTevfLmw
	9wYg==
X-Received: by 10.194.59.43 with SMTP id w11mr7531068wjq.65.1396286791117;
	Mon, 31 Mar 2014 10:26:31 -0700 (PDT)
Received: from ?IPv6:2001:470:6aac:2:f0dc:cf0b:4103:4c5a?
	([2001:470:6aac:2:f0dc:cf0b:4103:4c5a])
	by mx.google.com with ESMTPSA id w10sm27826844wiy.9.2014.03.31.10.26.29
	for <cerowrt-devel@lists.bufferbloat.net>
	(version=TLSv1.2 cipher=ECDHE-RSA-RC4-SHA bits=128/128);
	Mon, 31 Mar 2014 10:26:29 -0700 (PDT)
Message-ID: <5339A532.70006@gmail.com>
Date: Mon, 31 Mar 2014 18:26:10 +0100
From: Robert Bradley <robert.bradley1@gmail.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1;
	rv:24.0) Gecko/20100101 Thunderbird/24.4.0
MIME-Version: 1.0
To: cerowrt-devel@lists.bufferbloat.net
References: <MTAwMDA0MC5kZWNveQ.1395459208@quikprotect>	<CAA93jw6GDnoP8_0ZBuQhK0cF2JTWrp281mRWMh5UCUvQ2r71EQ@mail.gmail.com>	<532DD9DD.8040301@thekelleys.org.uk>	<871txut453.fsf@alrua-x1.karlstad.toke.dk>	<532DE7A8.3010504@thekelleys.org.uk>	<87ppleroks.fsf@alrua-x1.karlstad.toke.dk>	<53348C32.4040907@thekelleys.org.uk>	<87ha6idabz.fsf@alrua-x1.karlstad.toke.dk>	<53353C07.9030000@thekelleys.org.uk>
	<87eh1madfy.fsf@toke.dk>	<533551F6.9010402@thekelleys.org.uk>
	<87lhvu8uqi.fsf@toke.dk>	<5335E1BD.7010304@thekelleys.org.uk>	<87k3bdbbt6.fsf@alrua-x1.karlstad.toke.dk>	<87bnwpb7f7.fsf_-_@alrua-x1.karlstad.toke.dk>	<421.1396128076@sandelman.ca>	<CAA93jw5kHUEZWWT7FM7mf+6AesV0x3fqtUWNoN0ARkf-2UNprw@mail.gmail.com>	<877g7bbz5g.fsf@alrua-x1.karlstad.toke.dk>	<87ppl3a3if.fsf@alrua-x1.karlstad.toke.dk>	<CAA93jw6Ga9Y7wUaRgUYP6A8nG+zSpmXLdctP=jLFHSfxSDG5jw@mail.gmail.com>
	<87ioqv9zqr.fsf@alrua-x1.karlstad.toke.dk>
	<5339629F.9000809@gmail.com>
In-Reply-To: <5339629F.9000809@gmail.com>
X-Enigmail-Version: 1.6
Content-Type: multipart/signed; micalg=pgp-sha1;
	protocol="application/pgp-signature";
	boundary="BEXAXfPvmPBveWTJKdB004lg92pkuGp0C"
Subject: Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping -- prototype!
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Mon, 31 Mar 2014 17:26:33 -0000

This is an OpenPGP/MIME signed message (RFC 4880 and 3156)
--BEXAXfPvmPBveWTJKdB004lg92pkuGp0C
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

On 31/03/2014 13:42, Robert Bradley wrote:
> There is a val_getaddrinfo() available in libval which is based on
> http://tools.ietf.org/html/draft-hayatnagarkar-dnsext-validator-api-09#=
section-3.2
> if we want to go down that route.
<snip>
> The validation in that case is done entirely outside dnsmasq (with the
> CD bit set on the libval queries).  We have libval available already bu=
t
> not installed, so that is not a problem.  Implementing this in BusyBox
> and sysntpd may be a bit of an issue though.

I have a *very* rough implementation of this at
https://github.com/rb12345/busybox (ntpd-dnssec branch), based on
busybox HEAD.  However, this is completely untested at this point.  This
patch requires the libval and libsres libraries to operate and
introduces a new ENABLE_FEATURE_DNSSEC flag/config option.  When
enabled, the internal str2sockaddr/val_str2sockaddr function will always
validate DNSSEC signatures using the libval library.  The nice thing
about this is that if it works, upstream ISP support for DNSSEC is
unnecessary since all the queries and responses are performed locally.=20
The downside is that everything in busybox that uses str2sockaddr is now
forced to do recursive DNSSEC lookups.

--=20
Robert Bradley



--BEXAXfPvmPBveWTJKdB004lg92pkuGp0C
Content-Type: application/pgp-signature; name="signature.asc"
Content-Description: OpenPGP digital signature
Content-Disposition: attachment; filename="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.17 (MingW32)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iQIcBAEBAgAGBQJTOaVDAAoJEGK/UXZZ8Ak6grgP/0+EK0GeV6NxwhnVE4lqnAJk
offsaKJSZGGfs5rkntoBhHB8bNs/ATtcPJ9ICKSKSzoHfy2YsnCC3/QFUo0fFVkY
ej0k32moIiQmddY7i1JktPmPuJ30tV7dKkal01vN1d8ds+QplsAgTR2bor2VvqYZ
/7MToIlGyRKevHPJzb4Oj8VziIiSnxfO9hXIwaYdil+jmFjc6cnuNmz+3iuW6IJe
JauzArkaDvWPdXqhBipsR1Pv3sOLCeTVI99mEkMgkH3WcWO8yO3hemXHuiINxsoo
xMzNU/HbTldE7BnwbKRqfV3OXk/8Pmm4RIiygCfn7wyBUqhz8QyGvkzOUtDTR1QN
mCdY9s69JwRMiBHRPPL/tINLkKVMKtaYn6BbI8OgLw01c69jnE1eeJHmWhFmxlI7
D9+VAO5iif4kBjv+0ypn35/Iu8wQKJtZYoXAUgq6RWjnxrqYGY2VQjXocir+ZF6v
nUnbHnxtC/qFXB40hma/VTdE8qHmfTQWI9Vxiv8IH06wxYR2tk6DBnonle+Rgbnc
HwCWPy0LLIPCoJzOfQ1x6PobW/WwupFpEuezE0q8VBVPwJodWAd1BGBvI5V3h82L
j7cyrVHHn/j01w60B2vjAV8GfN+jaFVbItxNjeNy6FC6BoVXQ8CrPIRGxw7REh3X
nxHQQiQETUn8kIHRewa3
=HSVT
-----END PGP SIGNATURE-----

--BEXAXfPvmPBveWTJKdB004lg92pkuGp0C--