[Cerowrt-devel] DNSSEC & NTP Bootstrapping
simon at thekelleys.org.uk
Sat Mar 22 15:42:32 EDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 22/03/14 19:38, Toke Høiland-Jørgensen wrote:
> Simon Kelley <simon at thekelleys.org.uk> writes:
>> One possibility would be to store the current time in NVRAM. When
>> the router comes up, that gives a lower bound on the current
>> time, and would solve attacks using old keys.
> This is already implemented (basically it finds the most recently
> modified file in /etc and sets the time to that; I think there's
> also a script that periodically refreshes some file there), and
> works to keep time during a reboot. However, when first flashing an
> image, the time will be whatever time that image was created...
>> Less drastic would be to disable the key-time checks for this
>> phase. Simplest would be a config flag: start it up with that
>> flag whilst NTP does its stuff, them restart without when the
>> clock is OK. Another option would be to disable the checks when
>> the query arrives from a "magic" loopback address: maybe
>> 127.110.116.112 (127.'n'.'t'.'p')
> The magic address would require the resolver and/or the ntp daemon
> to be patched? What about a config option that adds a grace time?
> Say enable dnssec after N seconds?
That would be possible: it would require care to make it work in the
face of the system time being warped by NTP. Best way may be to use
times() rather than time()
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Cerowrt-devel