From: Dave Taht <dave.taht@gmail.com>
To: Joseph Swick <cerowrt@decoy.cotse.net>
Cc: "cerowrt-devel@lists.bufferbloat.net"
<cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping
Date: Sat, 22 Mar 2014 17:42:08 +0000 [thread overview]
Message-ID: <CAA93jw6GDnoP8_0ZBuQhK0cF2JTWrp281mRWMh5UCUvQ2r71EQ@mail.gmail.com> (raw)
In-Reply-To: <MTAwMDA0MC5kZWNveQ.1395459208@quikprotect>
On Sat, Mar 22, 2014 at 3:33 AM, Joseph Swick <cerowrt@decoy.cotse.net> wrote:
> Hi List,
> I've been lurking for several months now on the list and I remember some
> discussion about trying to find acceptable methods for bootstrapping the
> local system time so that DNSSEC would work.
>
> I recently got around to updating my router a week or two ago from 3.7.?
> to 3.10.28-16 because Comcast finally switched on IPv6 for my neck of
> the woods (realized this when I finally noticed the performance impact
> of the issues with Comcast IPv6 and the 3.7 release) .
I reallly, really, really want to get the comcast users off of 3.7.x. That bug
is rather severe.
> Tonight, I went
> and reset my configuration this evening to clear out some mistakes I
> made (that was keeping IPv6 from working). Then I noticed that was
> getting SERVFAIL for some domains (e.g.: bufferbloat.net) and not others
> and (in trying to keep this short) I finally remembered to check the
> clock on the router and saw that it was set to Feb 24th instead of the
> correct time & date.
>
> Is the current recommendation still to put in a couple of IPs for NTP
> servers into the config of the router? Or has there been more work
> towards resolving the NTP bootstrap issue in the more recent releases?
There has not (as yet) been any work put into resolving the thorny
ntp/dnssec interrelationship problem. (famous bug #113 in the cerowrt
database). (Not having
been running any releases for long enough for it to become a problem made it
slip my mind!)
There WAS a bug in openwrt's ntp which led to only one ntp server being queried,
rather than the default 4. This was fixed several releases back. So
you failed to
get a valid time from the one ntp server you saw, and things degraded
from there.
The ntp servers queried presently largely are not dnssec signed, so
the ntp queries
should succeed (I think?) in the general case. However, for
robustness, I'd argue for enhancing the ntp startup script to
temporarily disable dnssec until it gets a valid time, and then
enabling it. I believe support for running the script was added to
busybox ntp, the problem remaining is how to tell dnsmasq about it
correctly.
> TIA.
>
> -Joseph
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
--
Dave Täht
Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html
next prev parent reply other threads:[~2014-03-22 17:42 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-22 3:33 Joseph Swick
2014-03-22 17:42 ` Dave Taht [this message]
2014-03-22 18:43 ` Simon Kelley
2014-03-22 19:38 ` Toke Høiland-Jørgensen
2014-03-22 19:42 ` Simon Kelley
2014-03-22 20:00 ` Toke Høiland-Jørgensen
2014-03-24 21:39 ` Simon Kelley
2014-03-27 20:38 ` Simon Kelley
2014-03-28 7:57 ` Toke Høiland-Jørgensen
2014-03-28 9:08 ` Simon Kelley
2014-03-28 9:18 ` Toke Høiland-Jørgensen
2014-03-28 10:41 ` Simon Kelley
2014-03-28 10:48 ` Toke Høiland-Jørgensen
2014-03-28 19:46 ` Simon Kelley
2014-03-28 20:55 ` Simon Kelley
2014-03-29 9:20 ` Toke Høiland-Jørgensen
2014-03-29 10:55 ` [Cerowrt-devel] DNSSEC & NTP Bootstrapping -- prototype! Toke Høiland-Jørgensen
2014-03-29 21:21 ` Michael Richardson
2014-03-29 21:30 ` Dave Taht
2014-03-30 13:21 ` Toke Høiland-Jørgensen
2014-03-30 16:59 ` Dave Taht
2014-03-30 18:38 ` Toke Høiland-Jørgensen
2014-03-30 19:30 ` Toke Høiland-Jørgensen
2014-03-30 20:06 ` Dave Taht
2014-03-30 20:51 ` Toke Høiland-Jørgensen
2014-03-31 12:42 ` Robert Bradley
2014-03-31 17:26 ` Robert Bradley
2014-03-22 21:15 ` [Cerowrt-devel] DNSSEC & NTP Bootstrapping Joseph Swick
2014-03-23 10:12 ` Aaron Wood
2014-03-23 11:15 ` Toke Høiland-Jørgensen
2014-03-23 12:11 ` David Personette
2014-03-23 12:20 ` Toke Høiland-Jørgensen
2014-03-23 12:22 ` Aaron Wood
2014-03-23 22:41 ` Michael Richardson
2014-03-24 9:51 ` Aaron Wood
2014-03-24 9:59 ` Toke Høiland-Jørgensen
2014-03-24 12:29 ` Chuck Anderson
2014-03-24 13:39 ` Toke Høiland-Jørgensen
2014-03-24 14:31 ` Alijah Ballard
2014-03-24 13:54 ` Valdis.Kletnieks
2014-03-24 19:12 ` Phil Pennock
2014-03-24 20:27 ` David Personette
2014-03-24 21:30 ` Phil Pennock
2014-03-24 21:58 ` Dave Taht
2014-03-25 9:55 ` David Personette
2014-03-25 14:25 ` Michael Richardson
2014-03-24 21:03 ` Toke Høiland-Jørgensen
2014-03-24 22:09 ` Török Edwin
2014-03-24 23:33 ` Toke Høiland-Jørgensen
2014-03-25 1:16 ` Joseph Swick
2014-03-24 22:16 ` Phil Pennock
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=CAA93jw6GDnoP8_0ZBuQhK0cF2JTWrp281mRWMh5UCUvQ2r71EQ@mail.gmail.com \
--to=dave.taht@gmail.com \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=cerowrt@decoy.cotse.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox