[Cerowrt-devel] DNSSEC & NTP Bootstrapping

Toke Høiland-Jørgensen toke at toke.dk
Sat Mar 22 15:38:48 EDT 2014

Simon Kelley <simon at thekelleys.org.uk> writes:

> One possibility would be to store the current time in NVRAM. When the
> router comes up, that gives a lower bound on the current time, and
> would solve attacks using old keys.

This is already implemented (basically it finds the most recently
modified file in /etc and sets the time to that; I think there's also a
script that periodically refreshes some file there), and works to keep
time during a reboot. However, when first flashing an image, the time
will be whatever time that image was created...

> Less drastic would be to disable the key-time checks for this phase.
> Simplest would be a config flag: start it up with that flag whilst NTP
> does its stuff, them restart without when the clock is OK. Another
> option would be to disable the checks when the query arrives from a
> "magic" loopback address: maybe (127.'n'.'t'.'p')

The magic address would require the resolver and/or the ntp daemon to be
patched? What about a config option that adds a grace time? Say enable
dnssec after N seconds?

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140322/131c0190/attachment.sig>

More information about the Cerowrt-devel mailing list