Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping

[Joseph Swick <cerowrt@decoy.cotse.net>]

On 03/22/2014 01:42 PM, Dave Taht wrote:
> On Sat, Mar 22, 2014 at 3:33 AM, Joseph Swick <cerowrt@decoy.cotse.net> wrote:

>> I recently got around to updating my router a week or two ago from 3.7.?
>> to 3.10.28-16 because Comcast finally switched on IPv6 for my neck of
>> the woods (realized this when I finally noticed the performance impact
>> of the issues with Comcast IPv6 and the 3.7 release) .
> 
> I reallly, really, really want to get the comcast users off of 3.7.x. That bug
> is rather severe.

Yeah, I had kept putting off upgrading to one of the fixed releases due
to the assumption that my area of Southern NH would be among the last to
get IPv6 switched on.  Wasn't until I started looking into why my
Internet performance had gotten so bad I remembered the bug (and why I
kept reminding my self to upgrade)

> There has not (as yet) been any work put into resolving the thorny
> ntp/dnssec interrelationship problem. (famous bug #113 in the cerowrt
> database). (Not having
> been running any releases for long enough for it to become a problem made it
> slip my mind!)

I'm more than happy to try to help out (which is why I joined the devel
list), but I'm more of the Sysadmin type than Developer (which is why
I've been lurking).

> The ntp servers queried presently largely are not dnssec signed, so
> the ntp queries
> should succeed (I think?) in the general case. However, for
> robustness, I'd argue for enhancing the ntp startup script to
> temporarily disable dnssec until it gets a valid time, and then
> enabling it. I believe support for running the script was added to
> busybox ntp, the problem  remaining is how to tell dnsmasq about it
> correctly.
> 

Ok, part of my issue was probably also that the clock was so far off, it
didn't want to skew to the correct time.

-Joseph