[Cerowrt-devel] DNSSEC & NTP Bootstrapping
Simon Kelley
simon at thekelleys.org.uk
Sat Mar 22 15:42:32 EDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 22/03/14 19:38, Toke Høiland-Jørgensen wrote:
> Simon Kelley <simon at thekelleys.org.uk> writes:
>
>> One possibility would be to store the current time in NVRAM. When
>> the router comes up, that gives a lower bound on the current
>> time, and would solve attacks using old keys.
>
> This is already implemented (basically it finds the most recently
> modified file in /etc and sets the time to that; I think there's
> also a script that periodically refreshes some file there), and
> works to keep time during a reboot. However, when first flashing an
> image, the time will be whatever time that image was created...
>
>> Less drastic would be to disable the key-time checks for this
>> phase. Simplest would be a config flag: start it up with that
>> flag whilst NTP does its stuff, them restart without when the
>> clock is OK. Another option would be to disable the checks when
>> the query arrives from a "magic" loopback address: maybe
>> 127.110.116.112 (127.'n'.'t'.'p')
>
> The magic address would require the resolver and/or the ntp daemon
> to be patched? What about a config option that adds a grace time?
> Say enable dnssec after N seconds?
That would be possible: it would require care to make it work in the
face of the system time being warped by NTP. Best way may be to use
times() rather than time()
Cheers,
Simon.
>
> -Toke
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlMt56gACgkQKPyGmiibgrfafgCeJVIyxtGXLfkh/YaLkQ9QaTzM
/Q4AoJiWKjwnwVlU+3v75asbK39cuImx
=AJrb
-----END PGP SIGNATURE-----
More information about the Cerowrt-devel
mailing list