From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-wg0-x232.google.com (mail-wg0-x232.google.com [IPv6:2a00:1450:400c:c00::232]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 19D0121F1E7 for ; Mon, 24 Mar 2014 14:58:13 -0700 (PDT) Received: by mail-wg0-f50.google.com with SMTP id x13so3954991wgg.9 for ; Mon, 24 Mar 2014 14:58:12 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type:content-transfer-encoding; bh=apkrHaF1OLeL9TY1LsrUDqzai2f59RwCWLshxHDyEsk=; b=dFKD6q6LxF5hDu7kK1Lyi44dTSloZk9ZvX/uh+4FP5Kv84npst05MX4uQ4TjtR56rx 7Bm8hW9sSE2z/xai2rKTMvgc2q/DWRdqY0z34Sa2b5gVK1A3EbKhyNaPJ/m5YDFQ5W0t P6SGknW1Suun+29LP+TCkkJFcJ7y8JtMrrQb+HfQRJTPKaEsfjZ47tYponRKXmh4lEsP IU1g97ZH48GtUqnRBPNByh6u6KBIOHPPcbCVxuWPNoAoJhSofsJyCVcMLMhozC2Hwhkx d7l1mH7+UHSgwLVYJ9twiKLtAEuLUR3q6VBnKO5D8WalDjGiFbuSUqlTMlUlEZpg8FEl bhsQ== MIME-Version: 1.0 X-Received: by 10.180.37.178 with SMTP id z18mr19051152wij.46.1395698291984; Mon, 24 Mar 2014 14:58:11 -0700 (PDT) Received: by 10.216.8.1 with HTTP; Mon, 24 Mar 2014 14:58:11 -0700 (PDT) In-Reply-To: References: <20140324191203.GA78098@redoubt.spodhuis.org> Date: Mon, 24 Mar 2014 14:58:11 -0700 Message-ID: From: Dave Taht To: David Personette Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable Cc: "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Mar 2014 21:58:14 -0000 I ship dig as an optional package for cerowrt. I think it's in bind-tools or bind-utils. It is terribly big, but most people hae enough spare flash to have it. An opkg update opkg list | less will show you what is available. I will argue that nobody wants to add functionality to the primitive nsupdate.... On Mon, Mar 24, 2014 at 1:27 PM, David Personette wrote= : > Phil, > > With the exception of the extra dependencies (dig and python), I like thi= s. > I would suggest that if DNSSEC will be enabled, that nslookup (I think > that's the only command line resolver included by CeroWRT/OpenWRT base > installs) be extended to have a similar option as dig, to resolve without > DNSSEC. > > The only other issue I see is if the router is brought online before > internet access is available. If I read your code correctly, it will try = 4 > times per defined server (with and without DNSSEC for IPv4 and IPv6), the= n > exit. It either needs to keep trying until it succeeds, or be called ever= y > time a connection comes up (shutting down NTPd prior and restarting after= ). > > Thanks. > > -- > David P. > > > > On Mon, Mar 24, 2014 at 3:12 PM, Phil Pennock > wrote: >> >> On 2014-03-21 at 23:33 -0400, Joseph Swick wrote: >> > I've been lurking for several months now on the list and I remember so= me >> > discussion about trying to find acceptable methods for bootstrapping t= he >> > local system time so that DNSSEC would work. >> >> I raised this on the ntp-pool mailing-lists last year, looking for a >> solution because of the chicken/egg bootstrap, with suggested approaches >> and some trial scripts. Eg: >> >> http://lists.ntp.org/pipermail/pool/2013-July/006569.html >> >> For context, I'm currently running OpenWRT; attached is the >> /etc/init.d/ntpdate which I'm using. It relies upon having Python and >> dig installed, as I haven't gotten around to building a small C utility >> to do just this task, but perhaps the approach is useful enough that >> someone else might do so? >> >> In summary: if the current time is less than the timestamp on the >> unbound-maintained copy of the root zone trust anchors, then bump the >> time up at least that far, because we must be at >=3D that timestamp, an= d >> this increases the odds that DNSSEC will validate if we haven't been >> off-line for too long. >> >> Then, for each hostname in the $STEP_SERVERS list (which could be >> taken from ntp.conf or uci config or whatever, but here is just >> hardcoded), I try to resolve IPv4 then IPv6, first with DNSSEC left >> enabled, and then with DNSSEC disabled via `dig +cd`. The first dig >> command to return results is the one which is used. >> >> The idea is to minimize the potential vulnerability of syncing to a bad >> timesource, by using DNSSEC if it's available and works, after making >> sure it has a reasonable chance of working if we've just rebooted, and >> only if we've been off-line for some time do we fall back to insecure >> DNS. >> >> Make sure that the START value is appropriate for your systems; I've >> found the OpenWRT defaults to be sufficiently broken that I stomp on >> them on reinstall. I run ntpdate once the network and firewall are up, >> but just before ntpd and both of those well before other network >> services which might depend upon time. >> >> Regards, >> -Phil >> >> #!/bin/sh /etc/rc.common >> # Copyright (C) 2006-2008 OpenWrt.org >> # Copyright (C) 2013 Phil Pennock >> >> START=3D60 >> >> STEP_SERVERS=3D"0.openwrt.pool.ntp.org 1.openwrt.pool.ntp.org >> 2.openwrt.pool.ntp.org" >> TIMEOUT=3D"2" # in seconds >> PRESEED_TIMESTAMP_FN=3D"/etc/unbound/runtime/root.autokey" >> >> # The core problem is that with DNSSEC, an invalid time prevents >> resolution >> # of DNS, but we need DNS to be able to find time-servers to get a good >> time >> # to be able to resolve DNS. >> # >> # We break out of this "Catch 22" situation by _trying_ normal DNS >> resolution, >> # IPv4 and then IPv6, and only if those fail do we forcibly disable DNSS= EC >> # by using dig(1)'s +cd flag ("checking disabled"); trying normally firs= t >> # protects us against malicious DNS trying to point us to bad >> time-servers, >> # if we've enough state that we _should_ already be protected. >> # >> # The "insecure" approach we regress to, as a last resort, is the same w= ay >> # the Internet functioned for decades. There is a DoS+hijack attack pat= h >> # here, but if we don't have a good battery-backed clock to protect us, = we >> # don't have a better solution. >> >> # Also, per a suggestion from Doug Calvert, we can use the timestamp of >> # modification of the unbound root.key file itself as an approximate tim= e. >> # Unbound updates the file on every refresh, so it's not too far off. >> >> preseed_approximate_time() { >> # Unfortunately, date(1) on OpenWRT can't parse the timestamp >> # output from ls. >> python -c ' >> import os, time, sys >> fn=3Dsys.argv[1] >> min_time=3Dos.stat(fn).st_ctime >> if time.time() < min_time: >> want=3Dtime.strftime("%Y%m%d%H%M.%S", time.gmtime(min_time)) >> os.system("date -u -s %s" % want)' "$PRESEED_TIMESTAMP_FN" > /dev/null >> } >> >> resolve_hostname_v4() { >> # we use the grep both to filter out cname referrals and to detect empty >> # results >> local hn=3D"$1" >> shift >> dig +nodnssec +short "$@" -t a "$hn" | grep '^[0-9][0-9.]*$' >> } >> >> resolve_hostname_v6() { >> local hn=3D"$1" >> shift >> dig +nodnssec +short "$@" -t aaaa "$hn" | grep -i >> '^[0-9a-f][0-9a-f.:]*$' >> } >> >> resolve_one_server() { >> local hn=3D"$1" >> resolve_hostname_v4 $hn && return >> resolve_hostname_v6 $hn && return >> resolve_hostname_v4 $hn +cd && return >> resolve_hostname_v6 $hn +cd && return >> } >> >> resolve_step_servers() { >> local server ips >> for server in $STEP_SERVERS ; do >> resolve_one_server $server >> done >> } >> >> start() { >> preseed_approximate_time >> for s in $(resolve_step_servers) ; do >> /usr/sbin/ntpdate -s -b -u -t "$TIMEOUT" "$s" && break >> done >> >> } >> >> _______________________________________________ >> Cerowrt-devel mailing list >> Cerowrt-devel@lists.bufferbloat.net >> https://lists.bufferbloat.net/listinfo/cerowrt-devel >> > > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > --=20 Dave T=E4ht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.= html