From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <dave.taht@gmail.com>
Received: from mail-wi0-x229.google.com (mail-wi0-x229.google.com
	[IPv6:2a00:1450:400c:c05::229])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(Client CN "smtp.gmail.com",
	Issuer "Google Internet Authority G2" (verified OK))
	by huchra.bufferbloat.net (Postfix) with ESMTPS id 1123321F14C
	for <cerowrt-devel@lists.bufferbloat.net>;
	Sun, 30 Mar 2014 09:59:53 -0700 (PDT)
Received: by mail-wi0-f169.google.com with SMTP id hm4so2198561wib.2
	for <cerowrt-devel@lists.bufferbloat.net>;
	Sun, 30 Mar 2014 09:59:52 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type:content-transfer-encoding;
	bh=KCDvX/OE/b5wP4XlTaxDIxKmFEoec7aHRzy4sKRlSgs=;
	b=Ci195LjlsIn0aE7sv72ZnW153hoVirKXpXWootHxNNbSDFjK1Uqd47Nh5roLFlT659
	306JvqaGbgJkW26JyZ/9+rJGSvw5caYu/nGAxJdZusGZBqJxjw2pKeSbMmd6zhozqm0K
	39OKJNtix8S7On+wdyyjq+MAE0cisPl57b5Gg8pF4W6bZOVDHHYXKvjGpe6BqvLrJixJ
	YBbvrITxy2Q0//Qf5Dviy4Gnb2VS7ZZn/MPa0n6nq5R8fjVTFq87hiM/FriNuKD9oW/t
	UORACVwZMsEEzUZ+ZpTuh49R20aD7MjpFnzcKyx5EVAF3gBjeWB6luqI+wNTZMp04qBY
	mqYQ==
MIME-Version: 1.0
X-Received: by 10.180.97.37 with SMTP id dx5mr6615408wib.53.1396198791841;
	Sun, 30 Mar 2014 09:59:51 -0700 (PDT)
Received: by 10.216.8.1 with HTTP; Sun, 30 Mar 2014 09:59:51 -0700 (PDT)
In-Reply-To: <877g7bbz5g.fsf@alrua-x1.karlstad.toke.dk>
References: <MTAwMDA0MC5kZWNveQ.1395459208@quikprotect>
	<CAA93jw6GDnoP8_0ZBuQhK0cF2JTWrp281mRWMh5UCUvQ2r71EQ@mail.gmail.com>
	<532DD9DD.8040301@thekelleys.org.uk>
	<871txut453.fsf@alrua-x1.karlstad.toke.dk>
	<532DE7A8.3010504@thekelleys.org.uk>
	<87ppleroks.fsf@alrua-x1.karlstad.toke.dk>
	<53348C32.4040907@thekelleys.org.uk>
	<87ha6idabz.fsf@alrua-x1.karlstad.toke.dk>
	<53353C07.9030000@thekelleys.org.uk> <87eh1madfy.fsf@toke.dk>
	<533551F6.9010402@thekelleys.org.uk> <87lhvu8uqi.fsf@toke.dk>
	<5335E1BD.7010304@thekelleys.org.uk>
	<87k3bdbbt6.fsf@alrua-x1.karlstad.toke.dk>
	<87bnwpb7f7.fsf_-_@alrua-x1.karlstad.toke.dk>
	<421.1396128076@sandelman.ca>
	<CAA93jw5kHUEZWWT7FM7mf+6AesV0x3fqtUWNoN0ARkf-2UNprw@mail.gmail.com>
	<877g7bbz5g.fsf@alrua-x1.karlstad.toke.dk>
Date: Sun, 30 Mar 2014 09:59:51 -0700
Message-ID: <CAA93jw5w6X4OewvYs=eWkUi7bbdK=rAsZ2eM_t9LU5vOetRD1w@mail.gmail.com>
From: Dave Taht <dave.taht@gmail.com>
To: =?ISO-8859-1?Q?Toke_H=F8iland=2DJ=F8rgensen?= <toke@toke.dk>
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable
Cc: "cerowrt-devel@lists.bufferbloat.net" <cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping -- prototype!
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Sun, 30 Mar 2014 16:59:54 -0000

On Sun, Mar 30, 2014 at 6:21 AM, Toke H=F8iland-J=F8rgensen <toke@toke.dk> =
wrote:
> Dave Taht <dave.taht@gmail.com> writes:
>
>> Well I strongly favor less interdependency between ntp, a monitoring
>> script, and dnsmasq.
>
> Well, the reverse dependency (i.e. the modification of the ntpd startup
> script) is not strictly needed, so the dependency could be made to be
> one-way (it kinda is already). Also, in case ntpd is missing it's quite
> easy to just bail out and start dnsmasq in full validation mode.
>
> The nice thing about this switch to dnsmasq is that it does validation
> of the chain, just ignoring validity times; which presumably would make
> it harder to exploit as you'd need an actual valid key, rather than just
> be able to spoof the packets reply of the non-validated query...
>
>> I'd kind of like some sort of check on validating the dns roots, if it
>> fails due to the time being wrong, disable dnssec and wait for clock
>> slew.
>
> Well conceivably you could be in a situation where the roots validate,
> but validation fails further down the chain, making that scheme fail in
> weird and unpredictable ways?

http://www.bortzmeyer.org/dns-routing-hijack-turkey.html

?

>> Another other alternative is a ntp that does a query with the
>> authenticate bit off, all the time.

>
> This would involve teaching the uclibc resolver about the CD bit and
> expose it in the resolver API I think. Can look into how difficult this
> actually is to do; with the caveat that I'm not exactly an expert on
> such code :P


>
> Also, see above re: validation modes.
>
>> On Sat, Mar 29, 2014 at 2:21 PM, Michael Richardson <mcr@sandelman.ca> w=
rote:
>>>
>>> This process needs to be written up as an IETF BCP.
>
> I'll be happy to write something up once we actually settle on something =
:)
>
> -Toke



--=20
Dave T=E4ht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.=
html