[Cerowrt-devel] cerowrt 3.3.8-17: nice latency improvements, some issues with bind

Michael Richardson mcr at sandelman.ca
Tue Aug 21 21:21:29 EDT 2012

>>>>> "Maciej" == Maciej Soltysiak <maciej at soltysiak.com> writes:
    >> Good idea, but you need DNS to find that server, and you need
    >> time to do DNSSEC.

    Maciej> How about this:
    Maciej> 1) do a 1 time `host time.nist.gov` and feed that to NTP config file
    Maciej> 2) make NTP get time from the IP of time.nist.gov resolved from step 1
    Maciej> 3) start bind with dnssec

Sure, you could do this.

There is no significant security advantage of doing this, vs starting
bind with DNSSEC time validation disabled.  A malicious attacker who
wants to attack you also controls the answer that returns, and 
also controls the NTP answer on port 123.  Bad guys owns your uplink.
It's as easy as plugging a *WRT box in front of yours, or any place
upstream. (if you are paranoid, you are paranoid)

Or turn off DNSSEC validation until you have some notion of time.
That way, you wouldn't claim to have done validation.

Michael Richardson
-at the cottage-

More information about the Cerowrt-devel mailing list