Re: [Cerowrt-devel] cerowrt 3.3.8-17: nice latency improvements, some issues with bind

[Michael Richardson <mcr@sandelman.ca>]

>>>>> "Dave" == Dave Taht <dave.taht@gmail.com> writes:
    >> I was using unbound on openwrt for dnssec before and I haven't
    >> noticed this problem.

    Dave> How is that on memory and configurability?

    >> However I had some .ro time servers configured, and apparently
    >> they use quite a wide range for their RRSIG, so maybe I was just
    >> lucky not to hit a situation where both .ro and .org would fail
    >> to validate.  RRSIG NS 5 2 7200 20120819122953 20120720122953....
    >> RRSIG NSEC 8 1 86400 20120824000000 20120816230000 ...
    >> 
    >> While the .org RRSIG has quite a recent timestamp: org.  900 IN
    >> RRSIG SOA 7 1 900 20120907184119 20120817174119
    >> 
    >> Added the .ro timeservers to cerowrt now, and will see if the
    >> problem occurs again.

    Dave> You were lucky, and it will. openwrt/cerowrt can periodically
    Dave> write the current time to flash, but not often enough for
    Dave> dnssec on a fresh boot, and more often would be mildly bad on
    Dave> flash wear.

My opinion is that we should 
  a) either turn off DNSSEC validation until we find a time server
     on first boot.
  b) ignore signatures that do not validate because they are too "new"

If we are writing the file system such that time can really never go
backwards, then we are pretty much immune to most replay attacks
egrevious replay attacks.  
(b) would require a new option to BIND/unbound.