Re: [Cerowrt-devel] cerowrt security - Toke Høiland-Jørgensen

Development issues regarding the cerowrt test router project
 help / color / mirror / Atom feed

From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: Maciej Soltysiak <maciej@soltysiak.com>
Cc: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] cerowrt security
Date: Tue, 22 Oct 2013 13:59:24 +0200	[thread overview]
Message-ID: <871u3d4iub.fsf@toke.dk> (raw)
In-Reply-To: <CAMZR1YCp=zkDFWm7z4uT9HsSiBAjB9xf8w4AZs0MoVsC8-pAgA@mail.gmail.com> (Maciej Soltysiak's message of "Tue, 22 Oct 2013 13:43:31 +0200")

[-- Attachment #1: Type: text/plain, Size: 1048 bytes --]

Maciej Soltysiak <maciej@soltysiak.com> writes:

> Therefore I have bought a VM at a cloud provider in my city and
> deployed the same thing they are but 7ms away. DNSCrypt-wrapper with a
> default config of unbound to provide recursive, DNSSEC validated NS.

An alternative approach is to simply run a full BIND resolver with
DNSSEC validation on the cerowrt box. That is doable, with a bit of
configuration (notably adding the root key config file). The biggest
issue is one of time: when the router boots up it doesn't know the time,
and hence can't validate DNSSEC, making it unable to contact an NTP
server. A way to solve this is to get hold of a USB GPS receiver and use
that as a time source either on the cerowrt box itself, or on another
box that the router can reach when it boots up (and configure that in
/etc/hosts or simply input an IP into the NTP config). I suppose
configuring a known good NTP server by IP (or in /etc/hosts) would work
as well.

I use this setup (with a GPS on my home server) and it works quite well. :)

-Toke

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 489 bytes --]

next prev parent reply	other threads:[~2013-10-22 12:00 UTC|newest]

Thread overview: 7+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-10-22  1:31 Aristar
2013-10-22  1:59 ` Dave Taht
2013-10-22  3:25   ` Aristar
2013-10-22 11:43 ` Maciej Soltysiak
2013-10-22 11:59   ` Toke Høiland-Jørgensen [this message]
2013-10-22 12:26     ` Richard E. Brown
2013-10-22 12:31       ` David Lang

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=871u3d4iub.fsf@toke.dk \
    --to=toke@toke.dk \
    --cc=cerowrt-devel@lists.bufferbloat.net \
    --cc=maciej@soltysiak.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox