[Cerowrt-devel] cerowrt security

Toke Høiland-Jørgensen toke at toke.dk
Tue Oct 22 07:59:24 EDT 2013


Maciej Soltysiak <maciej at soltysiak.com> writes:

> Therefore I have bought a VM at a cloud provider in my city and
> deployed the same thing they are but 7ms away. DNSCrypt-wrapper with a
> default config of unbound to provide recursive, DNSSEC validated NS.

An alternative approach is to simply run a full BIND resolver with
DNSSEC validation on the cerowrt box. That is doable, with a bit of
configuration (notably adding the root key config file). The biggest
issue is one of time: when the router boots up it doesn't know the time,
and hence can't validate DNSSEC, making it unable to contact an NTP
server. A way to solve this is to get hold of a USB GPS receiver and use
that as a time source either on the cerowrt box itself, or on another
box that the router can reach when it boots up (and configure that in
/etc/hosts or simply input an IP into the NTP config). I suppose
configuring a known good NTP server by IP (or in /etc/hosts) would work
as well.

I use this setup (with a GPS on my home server) and it works quite well. :)

-Toke
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20131022/b9649b02/attachment.sig>


More information about the Cerowrt-devel mailing list