From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com [IPv6:2607:f8b0:4001:c05::230]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id AD8B321F1FB for ; Mon, 24 Mar 2014 02:51:45 -0700 (PDT) Received: by mail-ig0-f176.google.com with SMTP id uy17so7244370igb.3 for ; Mon, 24 Mar 2014 02:51:45 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:date:message-id:subject:from:to :cc:content-type; bh=5MhfzK1Gnwvcubsys9Vh8jQNQ9QzlqbT1vbDHbxY7Gk=; b=MhmBxPhFNSGQy/eeusLxtX6EXiIDBTmZO480hgzUPTwj7ISP8MbSSsjxQS6laRCgMb S1SDdAiOTTn/FrPFlcxSo3gSHC0LruklWKdHPik/Gvx8Fvss3KXP8LUB8Lti6Emqluj4 84BgmcUhtlLkaXfqvyNYYxrBhcQmRw94y7lYhaTKASRVwYwpcWMqGN30hTth9mbjRpur oaWkERFK0Qquxzvu5yxQmwyMZqPlIGzkn/h96GjuYQ5fVWfKtLIOFZYyNVSyzhnb242Z TDUIejAhBFNwDixZgJXda8pIF5h99S0sxY2Y0IlYD+yZOvQYIPY/cxUKWbarhrKvU4yc 9m0w== MIME-Version: 1.0 X-Received: by 10.50.25.138 with SMTP id c10mr10396477igg.15.1395654705004; Mon, 24 Mar 2014 02:51:45 -0700 (PDT) Received: by 10.64.238.70 with HTTP; Mon, 24 Mar 2014 02:51:44 -0700 (PDT) In-Reply-To: <12727.1395614516@sandelman.ca> References: <8738i9rwrx.fsf@alrua-x1.karlstad.toke.dk> <12727.1395614516@sandelman.ca> Date: Mon, 24 Mar 2014 10:51:44 +0100 Message-ID: From: Aaron Wood To: Michael Richardson Content-Type: multipart/alternative; boundary=047d7bdc1900ebc6c004f5572eec Cc: "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Mon, 24 Mar 2014 09:51:45 -0000 --047d7bdc1900ebc6c004f5572eec Content-Type: text/plain; charset=ISO-8859-1 > > The ., org. keys are not going to grow multiple year expiries, so we need > our > own thing to cache. One could cache the DNSKEY for bufferbloat.net along > with the root zone keys... then lookup ntp.bufferbloat.net. It would have > to > return a A/AAAA records, because chasing a CNAME into ntp.org would fail > to > validate. > > > of the entry, for the resolution of ntp server names, and then you > have to > > somehow convey to the resolver that you want a secure lookup, but > it's ok if > > it's expired (or too new, or...), which gets back to some of the > earlier parts > > of this discussion. > > Bingo. That would scale well for CeroWRT, but doesn't seem like it would scale well for general-use (OpenWRT). Or rather, the use of bufferbloat.netwouldn't scale well. But OpenWRT might be able to do the same with it's key, and have it's own ntp.openwrt.org which resolves into the general ntp pool. -Aaron --047d7bdc1900ebc6c004f5572eec Content-Type: text/html; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable
The ., org. keys are not going to grow multiple = year expiries, so we need our
own thing to cache. =A0One could cache the DNSKEY for bufferbloat.net along
with the root zone keys... then lookup ntp.bufferbloat.net. It would have to
return a A/AAAA records, because chasing a CNAME into ntp.org would fail to
validate.

=A0 =A0 > of the entry, for the resolution of ntp server names, and then= you have to
=A0 =A0 > somehow convey to the resolver that you want a secure lookup, = but it's ok if
=A0 =A0 > it's expired (or too new, or...), which gets back to some = of the earlier parts
=A0 =A0 > of this discussion.

Bingo.

That would scale well for Cero= WRT, but doesn't seem like it would scale well for general-use (OpenWRT= ). =A0Or rather, the use of bufferbloat.= net wouldn't scale well. =A0But OpenWRT might be able to do the sam= e with it's key, and have it's own ntp.openwrt.org which resolves into the general ntp pool.

-Aaron=A0
--047d7bdc1900ebc6c004f5572eec--