Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping -- prototype!

[Dave Taht <dave.taht@gmail.com>]

On Sun, Mar 30, 2014 at 6:21 AM, Toke Høiland-Jørgensen <toke@toke.dk> wrote:
> Dave Taht <dave.taht@gmail.com> writes:
>
>> Well I strongly favor less interdependency between ntp, a monitoring
>> script, and dnsmasq.
>
> Well, the reverse dependency (i.e. the modification of the ntpd startup
> script) is not strictly needed, so the dependency could be made to be
> one-way (it kinda is already). Also, in case ntpd is missing it's quite
> easy to just bail out and start dnsmasq in full validation mode.
>
> The nice thing about this switch to dnsmasq is that it does validation
> of the chain, just ignoring validity times; which presumably would make
> it harder to exploit as you'd need an actual valid key, rather than just
> be able to spoof the packets reply of the non-validated query...
>
>> I'd kind of like some sort of check on validating the dns roots, if it
>> fails due to the time being wrong, disable dnssec and wait for clock
>> slew.
>
> Well conceivably you could be in a situation where the roots validate,
> but validation fails further down the chain, making that scheme fail in
> weird and unpredictable ways?

http://www.bortzmeyer.org/dns-routing-hijack-turkey.html

?

>> Another other alternative is a ntp that does a query with the
>> authenticate bit off, all the time.

>
> This would involve teaching the uclibc resolver about the CD bit and
> expose it in the resolver API I think. Can look into how difficult this
> actually is to do; with the caveat that I'm not exactly an expert on
> such code :P


>
> Also, see above re: validation modes.
>
>> On Sat, Mar 29, 2014 at 2:21 PM, Michael Richardson <mcr@sandelman.ca> wrote:
>>>
>>> This process needs to be written up as an IETF BCP.
>
> I'll be happy to write something up once we actually settle on something :)
>
> -Toke



-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html