[Cerowrt-devel] DNSSEC & NTP Bootstrapping

Aaron Wood woody77 at gmail.com
Sun Mar 23 06:12:34 EDT 2014


>
> > The ntp servers queried presently largely are not dnssec signed, so
> > the ntp queries
> > should succeed (I think?) in the general case. However, for
> > robustness, I'd argue for enhancing the ntp startup script to
> > temporarily disable dnssec until it gets a valid time, and then
> > enabling it. I believe support for running the script was added to
> > busybox ntp, the problem  remaining is how to tell dnsmasq about it
> > correctly.
> >
>
> Ok, part of my issue was probably also that the clock was so far off, it
> didn't want to skew to the correct time.


Something I've done in the past on systems without RTCs is to have the ntp
init script loop on calling ntpdate until it gets a valid time, and then
switch over to the continuously running ntpd.  Everything that needs the
correct time then has to start after ntp.  But with DNSSEC, that's going to
push the need to have the ntp servers specified by ip address, not by
hostname, or to have them never be secure, or we find a way to have
long-lived dnssec entries.  I think raw IP address specification is
probably safer than trying to do something like creating an insecure window
around dnssec.

-Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140323/1ca77bf0/attachment-0002.html>


More information about the Cerowrt-devel mailing list