From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <toke@toke.dk>
Received: from mail2.tohojo.dk (mail2.tohojo.dk [144.76.141.112])
	(using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits))
	(Client did not present a certificate)
	by huchra.bufferbloat.net (Postfix) with ESMTPS id 9EE9A21F0E8
	for <cerowrt-devel@lists.bufferbloat.net>;
	Tue, 22 Oct 2013 05:00:09 -0700 (PDT)
X-Virus-Scanned: amavisd-new at example.com
Sender: toke@toke.dk
Received: by alrua-desktop.borgediget.toke.dk (Postfix, from userid 1000)
	id B5DCE1C826; Tue, 22 Oct 2013 13:59:27 +0200 (CEST)
From: =?utf-8?Q?Toke_H=C3=B8iland-J=C3=B8rgensen?= <toke@toke.dk>
To: Maciej Soltysiak <maciej@soltysiak.com>
References: <CAGHZhqHA46s1HcWcMnqOzTMrtr8Qc-7Uw+QdN7RjiUDQp41=vw@mail.gmail.com>
	<CAMZR1YCp=zkDFWm7z4uT9HsSiBAjB9xf8w4AZs0MoVsC8-pAgA@mail.gmail.com>
Date: Tue, 22 Oct 2013 13:59:24 +0200
In-Reply-To: <CAMZR1YCp=zkDFWm7z4uT9HsSiBAjB9xf8w4AZs0MoVsC8-pAgA@mail.gmail.com>
	(Maciej Soltysiak's message of "Tue, 22 Oct 2013 13:43:31 +0200")
Message-ID: <871u3d4iub.fsf@toke.dk>
Content-Type: multipart/signed; boundary="=-=-=";
	micalg=pgp-sha1; protocol="application/pgp-signature"
Cc: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] cerowrt security
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Tue, 22 Oct 2013 12:00:10 -0000

--=-=-=
Content-Type: text/plain

Maciej Soltysiak <maciej@soltysiak.com> writes:

> Therefore I have bought a VM at a cloud provider in my city and
> deployed the same thing they are but 7ms away. DNSCrypt-wrapper with a
> default config of unbound to provide recursive, DNSSEC validated NS.

An alternative approach is to simply run a full BIND resolver with
DNSSEC validation on the cerowrt box. That is doable, with a bit of
configuration (notably adding the root key config file). The biggest
issue is one of time: when the router boots up it doesn't know the time,
and hence can't validate DNSSEC, making it unable to contact an NTP
server. A way to solve this is to get hold of a USB GPS receiver and use
that as a time source either on the cerowrt box itself, or on another
box that the router can reach when it boots up (and configure that in
/etc/hosts or simply input an IP into the NTP config). I suppose
configuring a known good NTP server by IP (or in /etc/hosts) would work
as well.

I use this setup (with a GPS on my home server) and it works quite well. :)

-Toke

--=-=-=
Content-Type: application/pgp-signature; name="signature.asc"

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iQEcBAEBAgAGBQJSZmicAAoJEENeEGz1+utP0nUIAIqe54kWVO02X1mvp9t1bvhr
SCNx7IGoSR9Zi/LVEO1tmKUD2m6Epv3r1ptF85MVfArPst1egWDqbUqiGxpf1NBE
gMV87whjTVHZxdIC3UsaEvxBtSD2PDtd2VhgkP+Y9coe3CETk/RpEX4A6yeeaRyF
falmzDNKeunM3CdF6PyJLuTCJhRPzPJW+FsJn0Up2FygF0bdPefHTYu8oUcnj+Hv
zkPL6liwMDUYbGDP2O2+/G40FOmPa5O28YYchNbm8Z8W9UWcC20SDolMVi9a7QpF
jkUk0rcAeXbSTOUhxg3ZdKdrIh9IWjFf/0hhSIizPUzBndc2pgy1jLcfs6maTWg=
=rPA0
-----END PGP SIGNATURE-----
--=-=-=--