[Cerowrt-devel] DNSSEC & NTP Bootstrapping
Aaron Wood
woody77 at gmail.com
Mon Mar 24 05:51:44 EDT 2014
>
> The ., org. keys are not going to grow multiple year expiries, so we need
> our
> own thing to cache. One could cache the DNSKEY for bufferbloat.net along
> with the root zone keys... then lookup ntp.bufferbloat.net. It would have
> to
> return a A/AAAA records, because chasing a CNAME into ntp.org would fail
> to
> validate.
>
> > of the entry, for the resolution of ntp server names, and then you
> have to
> > somehow convey to the resolver that you want a secure lookup, but
> it's ok if
> > it's expired (or too new, or...), which gets back to some of the
> earlier parts
> > of this discussion.
>
> Bingo.
That would scale well for CeroWRT, but doesn't seem like it would scale
well for general-use (OpenWRT). Or rather, the use of
bufferbloat.netwouldn't scale well. But OpenWRT might be able to do
the same with it's
key, and have it's own ntp.openwrt.org which resolves into the general ntp
pool.
-Aaron
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140324/e3ed0a12/attachment-0002.html>
More information about the Cerowrt-devel
mailing list