From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <mcr@sandelman.ca>
Received: from relay.sandelman.ca (relay.cooperix.net [67.23.6.41])
	by huchra.bufferbloat.net (Postfix) with ESMTP id CC0D221F0E6
	for <cerowrt-devel@lists.bufferbloat.net>;
	Mon, 20 Aug 2012 07:09:37 -0700 (PDT)
Received: from sandelman.ca (24-139-16-154.eastlink.ca [24.139.16.154])
	by relay.sandelman.ca (Postfix) with ESMTPS id 6B8418659;
	Mon, 20 Aug 2012 10:04:34 -0400 (EDT)
Received: from sandelman.ca (quigon.sandelman.ca [127.0.0.1])
	by sandelman.ca (Postfix) with ESMTP id 0C506CA081;
	Sat, 18 Aug 2012 16:16:55 -0400 (EDT)
From: Michael Richardson <mcr@sandelman.ca>
To: Dave Taht <dave.taht@gmail.com>
In-reply-to: <CAA93jw4-Arc7U+ZCMpuYY1HsqucwQ-jHFMc6iwDRk_fp+8xWPQ@mail.gmail.com>
References: <CAA93jw50MeqWH6TVKditFGfg-V-mOi-UUtsABqd+WHs2vedHQw@mail.gmail.com>
	<502E064C.50305@etorok.net>
	<CAA93jw6JGFb9Eqh9tTdy2DY6fsNDDKpq391JQqirezoU4aJCSQ@mail.gmail.com>
	<502E9609.5040800@etorok.net>
	<CAA93jw4-Arc7U+ZCMpuYY1HsqucwQ-jHFMc6iwDRk_fp+8xWPQ@mail.gmail.com>
Comments: In-reply-to Dave Taht <dave.taht@gmail.com>
	message dated "Fri, 17 Aug 2012 12:52:53 -0700."
X-Mailer: MH-E 8.3; nmh 1.3; XEmacs 21.4 (patch 22)
Date: Sat, 18 Aug 2012 16:16:54 -0400
Message-ID: <9246.1345321014@sandelman.ca>
Sender: mcr@sandelman.ca
Cc: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] cerowrt 3.3.8-17: nice latency improvements,
	some issues with bind
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Mon, 20 Aug 2012 14:09:38 -0000


>>>>> "Dave" == Dave Taht <dave.taht@gmail.com> writes:
    >> I was using unbound on openwrt for dnssec before and I haven't
    >> noticed this problem.

    Dave> How is that on memory and configurability?

    >> However I had some .ro time servers configured, and apparently
    >> they use quite a wide range for their RRSIG, so maybe I was just
    >> lucky not to hit a situation where both .ro and .org would fail
    >> to validate.  RRSIG NS 5 2 7200 20120819122953 20120720122953....
    >> RRSIG NSEC 8 1 86400 20120824000000 20120816230000 ...
    >> 
    >> While the .org RRSIG has quite a recent timestamp: org.  900 IN
    >> RRSIG SOA 7 1 900 20120907184119 20120817174119
    >> 
    >> Added the .ro timeservers to cerowrt now, and will see if the
    >> problem occurs again.

    Dave> You were lucky, and it will. openwrt/cerowrt can periodically
    Dave> write the current time to flash, but not often enough for
    Dave> dnssec on a fresh boot, and more often would be mildly bad on
    Dave> flash wear.

My opinion is that we should 
  a) either turn off DNSSEC validation until we find a time server
     on first boot.
  b) ignore signatures that do not validate because they are too "new"

If we are writing the file system such that time can really never go
backwards, then we are pretty much immune to most replay attacks
egrevious replay attacks.  
(b) would require a new option to BIND/unbound.