From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail-yh0-x22a.google.com (mail-yh0-x22a.google.com [IPv6:2607:f8b0:4002:c01::22a]) (using TLSv1 with cipher RC4-SHA (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by huchra.bufferbloat.net (Postfix) with ESMTPS id 9023521F243 for ; Tue, 25 Mar 2014 02:55:24 -0700 (PDT) Received: by mail-yh0-f42.google.com with SMTP id t59so159327yho.15 for ; Tue, 25 Mar 2014 02:55:23 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc:content-type; bh=1hMjIOQS/Bd6QvQ5nPjwJbBoebpt6Joj63e7II7aOL4=; b=FCqkrpDwcVRjY13yfMhjY+OlU8bQhOS+PqTiokvwrmyDN261adkDc+JFNSCuLytoOf bGLkBjXVGTxHVbOgZtvAJaoSEMu1jxVcQT0ovm5jKN2f2lcVqRC5tn4/Au7VxriGy+RM oJNz4O7B0yIspC3k9yTRqP/At1j5pXy7tnHJKWV2yseki2u92POrxlRxVljYwJHhLN68 qwjPXCJ8XZEcCoOtez4XOzUwpeikoTjcWQ3E8WawguK9N1j7hLxtHhiDgxPhH3HuTbNQ 7C4GQHM6TYGqrU4CZ2ZX7PN+pMfvZwO+78/J1dqp77eXG3XCM35NBvur75knww6acg3h WBMw== X-Received: by 10.236.60.68 with SMTP id t44mr71862148yhc.47.1395741323465; Tue, 25 Mar 2014 02:55:23 -0700 (PDT) MIME-Version: 1.0 Received: by 10.170.47.78 with HTTP; Tue, 25 Mar 2014 02:55:03 -0700 (PDT) In-Reply-To: References: <20140324191203.GA78098@redoubt.spodhuis.org> From: David Personette Date: Tue, 25 Mar 2014 05:55:03 -0400 Message-ID: To: Dave Taht Content-Type: multipart/alternative; boundary=bcaec508238cc89aa504f56b5941 Cc: "cerowrt-devel@lists.bufferbloat.net" Subject: Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 25 Mar 2014 09:55:24 -0000 --bcaec508238cc89aa504f56b5941 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable # ll $(which nslookup) lrwxrwxrwx 1 root root 17 Mar 21 13:16 /usr/bin/nslookup -> ../../bin/busybox I'm not sure it's the old nslookup that we're thinking of... --=20 David P. On Mon, Mar 24, 2014 at 5:58 PM, Dave Taht wrote: > I ship dig as an optional package for cerowrt. > > I think it's in bind-tools or bind-utils. It is terribly big, but most > people hae enough spare flash to have it. > > An > > opkg update > opkg list | less > > will show you what is available. > > I will argue that nobody wants to add functionality to the primitive > nsupdate.... > > On Mon, Mar 24, 2014 at 1:27 PM, David Personette > wrote: > > Phil, > > > > With the exception of the extra dependencies (dig and python), I like > this. > > I would suggest that if DNSSEC will be enabled, that nslookup (I think > > that's the only command line resolver included by CeroWRT/OpenWRT base > > installs) be extended to have a similar option as dig, to resolve witho= ut > > DNSSEC. > > > > The only other issue I see is if the router is brought online before > > internet access is available. If I read your code correctly, it will tr= y > 4 > > times per defined server (with and without DNSSEC for IPv4 and IPv6), > then > > exit. It either needs to keep trying until it succeeds, or be called > every > > time a connection comes up (shutting down NTPd prior and restarting > after). > > > > Thanks. > > > > -- > > David P. > > > > > > > > On Mon, Mar 24, 2014 at 3:12 PM, Phil Pennock > > wrote: > >> > >> On 2014-03-21 at 23:33 -0400, Joseph Swick wrote: > >> > I've been lurking for several months now on the list and I remember > some > >> > discussion about trying to find acceptable methods for bootstrapping > the > >> > local system time so that DNSSEC would work. > >> > >> I raised this on the ntp-pool mailing-lists last year, looking for a > >> solution because of the chicken/egg bootstrap, with suggested approach= es > >> and some trial scripts. Eg: > >> > >> http://lists.ntp.org/pipermail/pool/2013-July/006569.html > >> > >> For context, I'm currently running OpenWRT; attached is the > >> /etc/init.d/ntpdate which I'm using. It relies upon having Python and > >> dig installed, as I haven't gotten around to building a small C utilit= y > >> to do just this task, but perhaps the approach is useful enough that > >> someone else might do so? > >> > >> In summary: if the current time is less than the timestamp on the > >> unbound-maintained copy of the root zone trust anchors, then bump the > >> time up at least that far, because we must be at >=3D that timestamp, = and > >> this increases the odds that DNSSEC will validate if we haven't been > >> off-line for too long. > >> > >> Then, for each hostname in the $STEP_SERVERS list (which could be > >> taken from ntp.conf or uci config or whatever, but here is just > >> hardcoded), I try to resolve IPv4 then IPv6, first with DNSSEC left > >> enabled, and then with DNSSEC disabled via `dig +cd`. The first dig > >> command to return results is the one which is used. > >> > >> The idea is to minimize the potential vulnerability of syncing to a ba= d > >> timesource, by using DNSSEC if it's available and works, after making > >> sure it has a reasonable chance of working if we've just rebooted, and > >> only if we've been off-line for some time do we fall back to insecure > >> DNS. > >> > >> Make sure that the START value is appropriate for your systems; I've > >> found the OpenWRT defaults to be sufficiently broken that I stomp on > >> them on reinstall. I run ntpdate once the network and firewall are up= , > >> but just before ntpd and both of those well before other network > >> services which might depend upon time. > >> > >> Regards, > >> -Phil > >> > >> #!/bin/sh /etc/rc.common > >> # Copyright (C) 2006-2008 OpenWrt.org > >> # Copyright (C) 2013 Phil Pennock > >> > >> START=3D60 > >> > >> STEP_SERVERS=3D"0.openwrt.pool.ntp.org 1.openwrt.pool.ntp.org > >> 2.openwrt.pool.ntp.org" > >> TIMEOUT=3D"2" # in seconds > >> PRESEED_TIMESTAMP_FN=3D"/etc/unbound/runtime/root.autokey" > >> > >> # The core problem is that with DNSSEC, an invalid time prevents > >> resolution > >> # of DNS, but we need DNS to be able to find time-servers to get a goo= d > >> time > >> # to be able to resolve DNS. > >> # > >> # We break out of this "Catch 22" situation by _trying_ normal DNS > >> resolution, > >> # IPv4 and then IPv6, and only if those fail do we forcibly disable > DNSSEC > >> # by using dig(1)'s +cd flag ("checking disabled"); trying normally > first > >> # protects us against malicious DNS trying to point us to bad > >> time-servers, > >> # if we've enough state that we _should_ already be protected. > >> # > >> # The "insecure" approach we regress to, as a last resort, is the same > way > >> # the Internet functioned for decades. There is a DoS+hijack attack > path > >> # here, but if we don't have a good battery-backed clock to protect us= , > we > >> # don't have a better solution. > >> > >> # Also, per a suggestion from Doug Calvert, we can use the timestamp o= f > >> # modification of the unbound root.key file itself as an approximate > time. > >> # Unbound updates the file on every refresh, so it's not too far off. > >> > >> preseed_approximate_time() { > >> # Unfortunately, date(1) on OpenWRT can't parse the timestamp > >> # output from ls. > >> python -c ' > >> import os, time, sys > >> fn=3Dsys.argv[1] > >> min_time=3Dos.stat(fn).st_ctime > >> if time.time() < min_time: > >> want=3Dtime.strftime("%Y%m%d%H%M.%S", time.gmtime(min_time)) > >> os.system("date -u -s %s" % want)' "$PRESEED_TIMESTAMP_FN" > /dev/nu= ll > >> } > >> > >> resolve_hostname_v4() { > >> # we use the grep both to filter out cname referrals and to detect emp= ty > >> # results > >> local hn=3D"$1" > >> shift > >> dig +nodnssec +short "$@" -t a "$hn" | grep '^[0-9][0-9.]*$' > >> } > >> > >> resolve_hostname_v6() { > >> local hn=3D"$1" > >> shift > >> dig +nodnssec +short "$@" -t aaaa "$hn" | grep -i > >> '^[0-9a-f][0-9a-f.:]*$' > >> } > >> > >> resolve_one_server() { > >> local hn=3D"$1" > >> resolve_hostname_v4 $hn && return > >> resolve_hostname_v6 $hn && return > >> resolve_hostname_v4 $hn +cd && return > >> resolve_hostname_v6 $hn +cd && return > >> } > >> > >> resolve_step_servers() { > >> local server ips > >> for server in $STEP_SERVERS ; do > >> resolve_one_server $server > >> done > >> } > >> > >> start() { > >> preseed_approximate_time > >> for s in $(resolve_step_servers) ; do > >> /usr/sbin/ntpdate -s -b -u -t "$TIMEOUT" "$s" && break > >> done > >> > >> } > >> > >> _______________________________________________ > >> Cerowrt-devel mailing list > >> Cerowrt-devel@lists.bufferbloat.net > >> https://lists.bufferbloat.net/listinfo/cerowrt-devel > >> > > > > > > _______________________________________________ > > Cerowrt-devel mailing list > > Cerowrt-devel@lists.bufferbloat.net > > https://lists.bufferbloat.net/listinfo/cerowrt-devel > > > > > > -- > Dave T=C3=A4ht > > Fixing bufferbloat with cerowrt: > http://www.teklibre.com/cerowrt/subscribe.html > --bcaec508238cc89aa504f56b5941 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable
# ll $(which nslookup)
lrwxrwxrwx=C2=A0=C2=A0=C2= =A0 1 root=C2=A0=C2=A0=C2=A0=C2=A0 root=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0=C2=A0= =C2=A0=C2=A0=C2=A0=C2=A0=C2=A0 17 Mar 21 13:16 /usr/bin/nslookup -> ../.= ./bin/busybox

I'm not sure it's the old nslookup that = we're thinking of...

--
David P.


On Mon, Mar 24, 2014 at 5:58 PM, Dav= e Taht <dave.taht@gmail.com> wrote:
I ship dig as an optional package for cerowrt.

I think it's in bind-tools or bind-utils. It is terribly big, but most<= br> people hae enough spare flash to have it.

An

opkg update
opkg list | less

will show you what is available.

I will argue that nobody wants to add functionality to the primitive
nsupdate....

On Mon, Mar 24, 2014 at 1:27 PM, David Personette <dperson@gmail.com> wrote:
> Phil,
>
> With the exception of the extra dependencies (dig and python), I like = this.
> I would suggest that if DNSSEC will be enabled, that nslookup (I think=
> that's the only command line resolver included by CeroWRT/OpenWRT = base
> installs) be extended to have a similar option as dig, to resolve with= out
> DNSSEC.
>
> The only other issue I see is if the router is brought online before > internet access is available. If I read your code correctly, it will t= ry 4
> times per defined server (with and without DNSSEC for IPv4 and IPv6), = then
> exit. It either needs to keep trying until it succeeds, or be called e= very
> time a connection comes up (shutting down NTPd prior and restarting af= ter).
>
> Thanks.
>
> --
> David P.
>
>
>
> On Mon, Mar 24, 2014 at 3:12 PM, Phil Pennock
> <cerowrt-devel= +phil@spodhuis.org> wrote:
>>
>> On 2014-03-21 at 23:33 -0400, Joseph Swick wrote:
>> > I've been lurking for several months now on the list and = I remember some
>> > discussion about trying to find acceptable methods for bootst= rapping the
>> > local system time so that DNSSEC would work.
>>
>> I raised this on the ntp-pool mailing-lists last year, looking for= a
>> solution because of the chicken/egg bootstrap, with suggested appr= oaches
>> and some trial scripts. =C2=A0Eg:
>>
>> =C2=A0 http://lists.ntp.org/pipermail/pool/2013-July/= 006569.html
>>
>> For context, I'm currently running OpenWRT; attached is the >> /etc/init.d/ntpdate which I'm using. =C2=A0It relies upon havi= ng Python and
>> dig installed, as I haven't gotten around to building a small = C utility
>> to do just this task, but perhaps the approach is useful enough th= at
>> someone else might do so?
>>
>> In summary: if the current time is less than the timestamp on the<= br> >> unbound-maintained copy of the root zone trust anchors, then bump = the
>> time up at least that far, because we must be at >=3D that time= stamp, and
>> this increases the odds that DNSSEC will validate if we haven'= t been
>> off-line for too long.
>>
>> Then, for each hostname in the $STEP_SERVERS list (which could be<= br> >> taken from ntp.conf or uci config or whatever, but here is just >> hardcoded), I try to resolve IPv4 then IPv6, first with DNSSEC lef= t
>> enabled, and then with DNSSEC disabled via `dig +cd`. =C2=A0The fi= rst dig
>> command to return results is the one which is used.
>>
>> The idea is to minimize the potential vulnerability of syncing to = a bad
>> timesource, by using DNSSEC if it's available and works, after= making
>> sure it has a reasonable chance of working if we've just reboo= ted, and
>> only if we've been off-line for some time do we fall back to i= nsecure
>> DNS.
>>
>> Make sure that the START value is appropriate for your systems; I&= #39;ve
>> found the OpenWRT defaults to be sufficiently broken that I stomp = on
>> them on reinstall. =C2=A0I run ntpdate once the network and firewa= ll are up,
>> but just before ntpd and both of those well before other network >> services which might depend upon time.
>>
>> Regards,
>> -Phil
>>
>> #!/bin/sh /etc/rc.common
>> # Copyright (C) 2006-2008 OpenWrt.org
>> # Copyright (C) 2013 Phil Pennock
>>
>> START=3D60
>>
>> STEP_SERVERS=3D"0.openwrt.pool.ntp.org 1.openwrt.pool.ntp.org
>> 2.open= wrt.pool.ntp.org"
>> TIMEOUT=3D"2" # in seconds
>> PRESEED_TIMESTAMP_FN=3D"/etc/unbound/runtime/root.autokey&quo= t;
>>
>> # The core problem is that with DNSSEC, an invalid time prevents >> resolution
>> # of DNS, but we need DNS to be able to find time-servers to get a= good
>> time
>> # to be able to resolve DNS.
>> #
>> # We break out of this "Catch 22" situation by _trying_ = normal DNS
>> resolution,
>> # IPv4 and then IPv6, and only if those fail do we forcibly disabl= e DNSSEC
>> # by using dig(1)'s +cd flag ("checking disabled"); = trying normally first
>> # protects us against malicious DNS trying to point us to bad
>> time-servers,
>> # if we've enough state that we _should_ already be protected.=
>> #
>> # The "insecure" approach we regress to, as a last resor= t, is the same way
>> # the Internet functioned for decades. =C2=A0There is a DoS+hijack= attack path
>> # here, but if we don't have a good battery-backed clock to pr= otect us, we
>> # don't have a better solution.
>>
>> # Also, per a suggestion from Doug Calvert, we can use the timesta= mp of
>> # modification of the unbound root.key file itself as an approxima= te time.
>> # Unbound updates the file on every refresh, so it's not too f= ar off.
>>
>> preseed_approximate_time() {
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 # Unfortunately, date(1) on OpenWRT ca= n't parse the timestamp
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 # output from ls.
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 python -c '
>> import os, time, sys
>> fn=3Dsys.argv[1]
>> min_time=3Dos.stat(fn).st_ctime
>> if time.time() < min_time:
>> =C2=A0 want=3Dtime.strftime("%Y%m%d%H%M.%S", time.gmtime= (min_time))
>> =C2=A0 os.system("date -u -s %s" % want)' "$PRE= SEED_TIMESTAMP_FN" > /dev/null
>> }
>>
>> resolve_hostname_v4() {
>> # we use the grep both to filter out cname referrals and to detect= empty
>> # results
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 local hn=3D"$1"
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 shift
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 dig +nodnssec +short "$@" -t= a "$hn" | grep '^[0-9][0-9.]*$'
>> }
>>
>> resolve_hostname_v6() {
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 local hn=3D"$1"
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 shift
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 dig +nodnssec +short "$@" -t= aaaa "$hn" | grep -i
>> '^[0-9a-f][0-9a-f.:]*$'
>> }
>>
>> resolve_one_server() {
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 local hn=3D"$1"
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 resolve_hostname_v4 $hn && ret= urn
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 resolve_hostname_v6 $hn && ret= urn
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 resolve_hostname_v4 $hn +cd &&= return
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 resolve_hostname_v6 $hn +cd &&= return
>> }
>>
>> resolve_step_servers() {
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 local server ips
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 for server in $STEP_SERVERS ; do
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 resolve_on= e_server $server
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 done
>> }
>>
>> start() {
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 preseed_approximate_time
>> =C2=A0 =C2=A0 =C2=A0 =C2=A0 for s in $(resolve_step_servers) ; do<= br> >> =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 =C2=A0 /usr/sbin/= ntpdate -s -b -u -t "$TIMEOUT" "$s" && break >> =C2=A0 =C2=A0 =C2=A0 =C2=A0 done
>>
>> }
>>
>> _______________________________________________
>> Cerowrt-devel mailing list
>> Cerowrt-dev= el@lists.bufferbloat.net
>> https://lists.bufferbloat.net/listinfo/cerowrt-devel >>
>
>
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel@l= ists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel
>



--
Dave T=C3=A4ht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscrib= e.html

--bcaec508238cc89aa504f56b5941--