From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <woody77@gmail.com>
Received: from mail-ig0-x230.google.com (mail-ig0-x230.google.com
	[IPv6:2607:f8b0:4001:c05::230])
	(using TLSv1 with cipher RC4-SHA (128/128 bits))
	(Client CN "smtp.gmail.com",
	Issuer "Google Internet Authority G2" (verified OK))
	by huchra.bufferbloat.net (Postfix) with ESMTPS id 4D40221F1D4
	for <cerowrt-devel@lists.bufferbloat.net>;
	Sun, 23 Mar 2014 03:12:35 -0700 (PDT)
Received: by mail-ig0-f176.google.com with SMTP id uy17so5421739igb.3
	for <cerowrt-devel@lists.bufferbloat.net>;
	Sun, 23 Mar 2014 03:12:34 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113;
	h=mime-version:in-reply-to:references:date:message-id:subject:from:to
	:cc:content-type;
	bh=iHnkBq96f8I5dCqTTNhL35Erw+B0cewrU9K+ZxrQ8Ig=;
	b=vWNJ2rgUsUzolOGjiPUDwqqdFUYGbhi7yLu+SAovH5C3fnwFxgfyTpdyyw2u6cCwl0
	Q/vZlXTcFW6EibTLKDeXsULZFf/+ywMGIJuK775cCZYVKrJs369y3ucl6kTPsswNQcGk
	+JwQDJNfc006aCkLeDe49DXeBh9bX+sX5SBJKUjtE+olExUalWjs6RPhszZNV0NQ0eFZ
	4id/T2YWvo8UvUhWC+sPJwITAEqCpUZ1CQ0a3eCTUTba33SYgAaRIgy1pIF2KsRwuYic
	U+XB4/P3yZ5PHfkptJeYmf1bi6/8AS2OWDm6aj0kVnFkOibEFu5gX1jqtRsCaSP1BttR
	z0fg==
MIME-Version: 1.0
X-Received: by 10.50.12.100 with SMTP id x4mr6094693igb.15.1395569554476; Sun,
	23 Mar 2014 03:12:34 -0700 (PDT)
Received: by 10.64.238.70 with HTTP; Sun, 23 Mar 2014 03:12:34 -0700 (PDT)
In-Reply-To: <MTAwMDAzOS5kZWNveQ.1395522917@quikprotect>
References: <MTAwMDA0MC5kZWNveQ.1395459208@quikprotect>
	<CAA93jw6GDnoP8_0ZBuQhK0cF2JTWrp281mRWMh5UCUvQ2r71EQ@mail.gmail.com>
	<MTAwMDAzOS5kZWNveQ.1395522917@quikprotect>
Date: Sun, 23 Mar 2014 11:12:34 +0100
Message-ID: <CALQXh-MsLsWeVT_3+XaFQy5d3OcpbkQcgMi0mROuO0J5JS0Q7Q@mail.gmail.com>
From: Aaron Wood <woody77@gmail.com>
To: Joseph Swick <cerowrt@decoy.cotse.net>
Content-Type: multipart/alternative; boundary=089e0118238a8dd61204f5435b49
Cc: "cerowrt-devel@lists.bufferbloat.net" <cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping
X-BeenThere: cerowrt-devel@lists.bufferbloat.net
X-Mailman-Version: 2.1.13
Precedence: list
List-Id: Development issues regarding the cerowrt test router project
	<cerowrt-devel.lists.bufferbloat.net>
List-Unsubscribe: <https://lists.bufferbloat.net/options/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=unsubscribe>
List-Archive: <https://lists.bufferbloat.net/pipermail/cerowrt-devel>
List-Post: <mailto:cerowrt-devel@lists.bufferbloat.net>
List-Help: <mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=help>
List-Subscribe: <https://lists.bufferbloat.net/listinfo/cerowrt-devel>,
	<mailto:cerowrt-devel-request@lists.bufferbloat.net?subject=subscribe>
X-List-Received-Date: Sun, 23 Mar 2014 10:12:35 -0000

--089e0118238a8dd61204f5435b49
Content-Type: text/plain; charset=ISO-8859-1

>
> > The ntp servers queried presently largely are not dnssec signed, so
> > the ntp queries
> > should succeed (I think?) in the general case. However, for
> > robustness, I'd argue for enhancing the ntp startup script to
> > temporarily disable dnssec until it gets a valid time, and then
> > enabling it. I believe support for running the script was added to
> > busybox ntp, the problem  remaining is how to tell dnsmasq about it
> > correctly.
> >
>
> Ok, part of my issue was probably also that the clock was so far off, it
> didn't want to skew to the correct time.


Something I've done in the past on systems without RTCs is to have the ntp
init script loop on calling ntpdate until it gets a valid time, and then
switch over to the continuously running ntpd.  Everything that needs the
correct time then has to start after ntp.  But with DNSSEC, that's going to
push the need to have the ntp servers specified by ip address, not by
hostname, or to have them never be secure, or we find a way to have
long-lived dnssec entries.  I think raw IP address specification is
probably safer than trying to do something like creating an insecure window
around dnssec.

-Aaron

--089e0118238a8dd61204f5435b49
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_extra"><div class=3D"gmail_quote"><blo=
ckquote class=3D"gmail_quote" style=3D"margin:0 0 0 .8ex;border-left:1px #c=
cc solid;padding-left:1ex"><div class=3D"">&gt; The ntp servers queried pre=
sently largely are not dnssec signed, so<br>

&gt; the ntp queries<br>
&gt; should succeed (I think?) in the general case. However, for<br>
&gt; robustness, I&#39;d argue for enhancing the ntp startup script to<br>
&gt; temporarily disable dnssec until it gets a valid time, and then<br>
&gt; enabling it. I believe support for running the script was added to<br>
&gt; busybox ntp, the problem =A0remaining is how to tell dnsmasq about it<=
br>
&gt; correctly.<br>
&gt;<br>
<br>
</div>Ok, part of my issue was probably also that the clock was so far off,=
 it<br>
didn&#39;t want to skew to the correct time.</blockquote><div><br></div><di=
v>Something I&#39;ve done in the past on systems without RTCs is to have th=
e ntp init script loop on calling ntpdate until it gets a valid time, and t=
hen switch over to the continuously running ntpd. =A0Everything that needs =
the correct time then has to start after ntp. =A0But with DNSSEC, that&#39;=
s going to push the need to have the ntp servers specified by ip address, n=
ot by hostname, or to have them never be secure, or we find a way to have l=
ong-lived dnssec entries. =A0I think raw IP address specification is probab=
ly safer than trying to do something like creating an insecure window aroun=
d dnssec.</div>
<div><br></div><div>-Aaron</div></div></div></div>

--089e0118238a8dd61204f5435b49--