From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: Simon Kelley <simon@thekelleys.org.uk>
Cc: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping
Date: Sat, 22 Mar 2014 20:38:48 +0100 [thread overview]
Message-ID: <871txut453.fsf@alrua-x1.karlstad.toke.dk> (raw)
In-Reply-To: <532DD9DD.8040301@thekelleys.org.uk> (Simon Kelley's message of "Sat, 22 Mar 2014 18:43:41 +0000")
[-- Attachment #1: Type: text/plain, Size: 1083 bytes --]
Simon Kelley <simon@thekelleys.org.uk> writes:
> One possibility would be to store the current time in NVRAM. When the
> router comes up, that gives a lower bound on the current time, and
> would solve attacks using old keys.
This is already implemented (basically it finds the most recently
modified file in /etc and sets the time to that; I think there's also a
script that periodically refreshes some file there), and works to keep
time during a reboot. However, when first flashing an image, the time
will be whatever time that image was created...
> Less drastic would be to disable the key-time checks for this phase.
> Simplest would be a config flag: start it up with that flag whilst NTP
> does its stuff, them restart without when the clock is OK. Another
> option would be to disable the checks when the query arrives from a
> "magic" loopback address: maybe 127.110.116.112 (127.'n'.'t'.'p')
The magic address would require the resolver and/or the ntp daemon to be
patched? What about a config option that adds a grace time? Say enable
dnssec after N seconds?
-Toke
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 489 bytes --]
next prev parent reply other threads:[~2014-03-22 19:39 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-22 3:33 Joseph Swick
2014-03-22 17:42 ` Dave Taht
2014-03-22 18:43 ` Simon Kelley
2014-03-22 19:38 ` Toke Høiland-Jørgensen [this message]
2014-03-22 19:42 ` Simon Kelley
2014-03-22 20:00 ` Toke Høiland-Jørgensen
2014-03-24 21:39 ` Simon Kelley
2014-03-27 20:38 ` Simon Kelley
2014-03-28 7:57 ` Toke Høiland-Jørgensen
2014-03-28 9:08 ` Simon Kelley
2014-03-28 9:18 ` Toke Høiland-Jørgensen
2014-03-28 10:41 ` Simon Kelley
2014-03-28 10:48 ` Toke Høiland-Jørgensen
2014-03-28 19:46 ` Simon Kelley
2014-03-28 20:55 ` Simon Kelley
2014-03-29 9:20 ` Toke Høiland-Jørgensen
2014-03-29 10:55 ` [Cerowrt-devel] DNSSEC & NTP Bootstrapping -- prototype! Toke Høiland-Jørgensen
2014-03-29 21:21 ` Michael Richardson
2014-03-29 21:30 ` Dave Taht
2014-03-30 13:21 ` Toke Høiland-Jørgensen
2014-03-30 16:59 ` Dave Taht
2014-03-30 18:38 ` Toke Høiland-Jørgensen
2014-03-30 19:30 ` Toke Høiland-Jørgensen
2014-03-30 20:06 ` Dave Taht
2014-03-30 20:51 ` Toke Høiland-Jørgensen
2014-03-31 12:42 ` Robert Bradley
2014-03-31 17:26 ` Robert Bradley
2014-03-22 21:15 ` [Cerowrt-devel] DNSSEC & NTP Bootstrapping Joseph Swick
2014-03-23 10:12 ` Aaron Wood
2014-03-23 11:15 ` Toke Høiland-Jørgensen
2014-03-23 12:11 ` David Personette
2014-03-23 12:20 ` Toke Høiland-Jørgensen
2014-03-23 12:22 ` Aaron Wood
2014-03-23 22:41 ` Michael Richardson
2014-03-24 9:51 ` Aaron Wood
2014-03-24 9:59 ` Toke Høiland-Jørgensen
2014-03-24 12:29 ` Chuck Anderson
2014-03-24 13:39 ` Toke Høiland-Jørgensen
2014-03-24 14:31 ` Alijah Ballard
2014-03-24 13:54 ` Valdis.Kletnieks
2014-03-24 19:12 ` Phil Pennock
2014-03-24 20:27 ` David Personette
2014-03-24 21:30 ` Phil Pennock
2014-03-24 21:58 ` Dave Taht
2014-03-25 9:55 ` David Personette
2014-03-25 14:25 ` Michael Richardson
2014-03-24 21:03 ` Toke Høiland-Jørgensen
2014-03-24 22:09 ` Török Edwin
2014-03-24 23:33 ` Toke Høiland-Jørgensen
2014-03-25 1:16 ` Joseph Swick
2014-03-24 22:16 ` Phil Pennock
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=871txut453.fsf@alrua-x1.karlstad.toke.dk \
--to=toke@toke.dk \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=simon@thekelleys.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox