[Cerowrt-devel] DNSSEC & NTP Bootstrapping

Dave Taht dave.taht at gmail.com
Sat Mar 22 13:42:08 EDT 2014


On Sat, Mar 22, 2014 at 3:33 AM, Joseph Swick <cerowrt at decoy.cotse.net> wrote:
> Hi List,
> I've been lurking for several months now on the list and I remember some
> discussion about trying to find acceptable methods for bootstrapping the
> local system time so that DNSSEC would work.
>
> I recently got around to updating my router a week or two ago from 3.7.?
> to 3.10.28-16 because Comcast finally switched on IPv6 for my neck of
> the woods (realized this when I finally noticed the performance impact
> of the issues with Comcast IPv6 and the 3.7 release) .

I reallly, really, really want to get the comcast users off of 3.7.x. That bug
is rather severe.

> Tonight, I went
> and reset my configuration this evening to clear out some mistakes I
> made (that was keeping IPv6 from working).  Then I noticed that was
> getting SERVFAIL for some domains (e.g.: bufferbloat.net) and not others
> and (in trying to keep this short) I finally remembered to check the
> clock on the router and saw that it was set to Feb 24th instead of the
> correct time & date.
>
> Is the current recommendation still to put in a couple of IPs for NTP
> servers into the config of the router?  Or has there been more work
> towards resolving the NTP bootstrap issue in the more recent releases?

There has not (as yet) been any work put into resolving the thorny
ntp/dnssec interrelationship problem. (famous bug #113 in the cerowrt
database). (Not having
been running any releases for long enough for it to become a problem made it
slip my mind!)

There WAS a bug in openwrt's ntp which led to only one ntp server being queried,
rather than the default 4. This was fixed several releases back. So
you failed to
get a valid time from the one ntp server you saw, and things degraded
from there.

The ntp servers queried presently largely are not dnssec signed, so
the ntp queries
should succeed (I think?) in the general case. However, for
robustness, I'd argue for enhancing the ntp startup script to
temporarily disable dnssec until it gets a valid time, and then
enabling it. I believe support for running the script was added to
busybox ntp, the problem  remaining is how to tell dnsmasq about it
correctly.

> TIA.
>
> -Joseph
> _______________________________________________
> Cerowrt-devel mailing list
> Cerowrt-devel at lists.bufferbloat.net
> https://lists.bufferbloat.net/listinfo/cerowrt-devel



-- 
Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html



More information about the Cerowrt-devel mailing list