Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping -- prototype!

["Toke Høiland-Jørgensen" <toke@toke.dk>]

[-- Attachment #1.1: Type: text/plain, Size: 2102 bytes --]

Right, so I took a stab at prototyping something based on the
--dnssec-no-timecheck option Simon just added to dnsmasq.

There's an updated dnsmasq package here:

http://archive.tohojo.dk/cerowrt/wndr/3.10.32-12-tohojo/packages/dnsmasq-dhcpv6_2014-03-29-b7639d58158c6e971535893b407560e136a27994_ar71xx.ipk

Which, apart from the change to dnsmasq itself, has a modification to
the init script that will add the parameter to dnsmasq on bootup (but
not on subsequent restarts), and then spawn a script that will check the
ntpd stratum status and wait for it to be set; or, if no stratum
information is available just set the time with ntpd -q. Once either the
time has been set, or ntpd reports a valid stratum, dnsmasq is sent
SIGHUP to turn dnssec time validation back on.

To get ntpd to report its stratum status, it is spawned with the -S
parameter which will periodically report its status, including stratum.
A small script then records that in a file which the dnsmasq script
checks. Since the script falls back to running ntpd -q, this change to
ntpd is not strictly necessary; but I thought it better to make it
available rather than running a second ntp sync on top of the running
ntpd server. To enable the ntpd modification, replace
/etc/init.d/sysntpd with the attached file, put this into
/usr/sbin/ntpd_record_stratum and chmod +x it:

#!/bin/sh
echo $stratum > /var/ntp.stratum

There's a busybox package with this modification included here, but I
can't promise it is built with the exact same options as the one
distributed with cerowrt (though it works for me):

http://archive.tohojo.dk/cerowrt/wndr/3.10.32-12-tohojo/packages/busybox_1.19.4-7_ar71xx.ipk



Please test this out and let me know if it works for you. It seems to
work for me; however, I have not been successful in actually getting my
router to boot up without the time synced. Not sure if it's just ntpd
that syncs up before the script runs (and then takes a while to update
its stratum), or if some hidden mechanism does something magical to set
the time (even when the *fixtime init scripts are disabled).


-Toke


[-- Warning: decoded text below may be mangled, UTF-8 assumed --]
[-- Attachment #1.2: sysntpd --]
[-- Type: text/x-sh, Size: 749 bytes --]

#!/bin/sh /etc/rc.common
# Copyright (C) 2011 OpenWrt.org

START=98

USE_PROCD=1
PROG=/usr/sbin/ntpd

validate_ntp_section() {
	uci_validate_section system timeserver "${1}" \
		'server:list(host)' 'enable_server:bool:0'
}

start_service() {
	local server enable_server peer

	validate_ntp_section ntp || {
		echo "validation failed"
		return 1
	}

	[ -z "$server" ] && return

	procd_open_instance
	procd_set_param command "$PROG" -n -S /usr/sbin/ntpd_record_stratum
	[ "$enable_server" = "1" ] && procd_append_param command -l
	for peer in $server; do
		procd_append_param command -p $peer
	done
	procd_set_param respawn
	procd_close_instance
}

service_triggers()
{
	procd_add_reload_trigger "system"
	procd_add_validation validate_ntp_section
}

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 489 bytes --]