Phil, With the exception of the extra dependencies (dig and python), I like this. I would suggest that if DNSSEC will be enabled, that nslookup (I think that's the only command line resolver included by CeroWRT/OpenWRT base installs) be extended to have a similar option as dig, to resolve without DNSSEC. The only other issue I see is if the router is brought online before internet access is available. If I read your code correctly, it will try 4 times per defined server (with and without DNSSEC for IPv4 and IPv6), then exit. It either needs to keep trying until it succeeds, or be called every time a connection comes up (shutting down NTPd prior and restarting after). Thanks. -- David P. On Mon, Mar 24, 2014 at 3:12 PM, Phil Pennock < cerowrt-devel+phil@spodhuis.org> wrote: > On 2014-03-21 at 23:33 -0400, Joseph Swick wrote: > > I've been lurking for several months now on the list and I remember some > > discussion about trying to find acceptable methods for bootstrapping the > > local system time so that DNSSEC would work. > > I raised this on the ntp-pool mailing-lists last year, looking for a > solution because of the chicken/egg bootstrap, with suggested approaches > and some trial scripts. Eg: > > http://lists.ntp.org/pipermail/pool/2013-July/006569.html > > For context, I'm currently running OpenWRT; attached is the > /etc/init.d/ntpdate which I'm using. It relies upon having Python and > dig installed, as I haven't gotten around to building a small C utility > to do just this task, but perhaps the approach is useful enough that > someone else might do so? > > In summary: if the current time is less than the timestamp on the > unbound-maintained copy of the root zone trust anchors, then bump the > time up at least that far, because we must be at >= that timestamp, and > this increases the odds that DNSSEC will validate if we haven't been > off-line for too long. > > Then, for each hostname in the $STEP_SERVERS list (which could be > taken from ntp.conf or uci config or whatever, but here is just > hardcoded), I try to resolve IPv4 then IPv6, first with DNSSEC left > enabled, and then with DNSSEC disabled via `dig +cd`. The first dig > command to return results is the one which is used. > > The idea is to minimize the potential vulnerability of syncing to a bad > timesource, by using DNSSEC if it's available and works, after making > sure it has a reasonable chance of working if we've just rebooted, and > only if we've been off-line for some time do we fall back to insecure > DNS. > > Make sure that the START value is appropriate for your systems; I've > found the OpenWRT defaults to be sufficiently broken that I stomp on > them on reinstall. I run ntpdate once the network and firewall are up, > but just before ntpd and both of those well before other network > services which might depend upon time. > > Regards, > -Phil > > #!/bin/sh /etc/rc.common > # Copyright (C) 2006-2008 OpenWrt.org > # Copyright (C) 2013 Phil Pennock > > START=60 > > STEP_SERVERS="0.openwrt.pool.ntp.org 1.openwrt.pool.ntp.org > 2.openwrt.pool.ntp.org" > TIMEOUT="2" # in seconds > PRESEED_TIMESTAMP_FN="/etc/unbound/runtime/root.autokey" > > # The core problem is that with DNSSEC, an invalid time prevents resolution > # of DNS, but we need DNS to be able to find time-servers to get a good > time > # to be able to resolve DNS. > # > # We break out of this "Catch 22" situation by _trying_ normal DNS > resolution, > # IPv4 and then IPv6, and only if those fail do we forcibly disable DNSSEC > # by using dig(1)'s +cd flag ("checking disabled"); trying normally first > # protects us against malicious DNS trying to point us to bad time-servers, > # if we've enough state that we _should_ already be protected. > # > # The "insecure" approach we regress to, as a last resort, is the same way > # the Internet functioned for decades. There is a DoS+hijack attack path > # here, but if we don't have a good battery-backed clock to protect us, we > # don't have a better solution. > > # Also, per a suggestion from Doug Calvert, we can use the timestamp of > # modification of the unbound root.key file itself as an approximate time. > # Unbound updates the file on every refresh, so it's not too far off. > > preseed_approximate_time() { > # Unfortunately, date(1) on OpenWRT can't parse the timestamp > # output from ls. > python -c ' > import os, time, sys > fn=sys.argv[1] > min_time=os.stat(fn).st_ctime > if time.time() < min_time: > want=time.strftime("%Y%m%d%H%M.%S", time.gmtime(min_time)) > os.system("date -u -s %s" % want)' "$PRESEED_TIMESTAMP_FN" > /dev/null > } > > resolve_hostname_v4() { > # we use the grep both to filter out cname referrals and to detect empty > # results > local hn="$1" > shift > dig +nodnssec +short "$@" -t a "$hn" | grep '^[0-9][0-9.]*$' > } > > resolve_hostname_v6() { > local hn="$1" > shift > dig +nodnssec +short "$@" -t aaaa "$hn" | grep -i > '^[0-9a-f][0-9a-f.:]*$' > } > > resolve_one_server() { > local hn="$1" > resolve_hostname_v4 $hn && return > resolve_hostname_v6 $hn && return > resolve_hostname_v4 $hn +cd && return > resolve_hostname_v6 $hn +cd && return > } > > resolve_step_servers() { > local server ips > for server in $STEP_SERVERS ; do > resolve_one_server $server > done > } > > start() { > preseed_approximate_time > for s in $(resolve_step_servers) ; do > /usr/sbin/ntpdate -s -b -u -t "$TIMEOUT" "$s" && break > done > } > > _______________________________________________ > Cerowrt-devel mailing list > Cerowrt-devel@lists.bufferbloat.net > https://lists.bufferbloat.net/listinfo/cerowrt-devel > >