[Cerowrt-devel] DNSSEC & NTP Bootstrapping

Valdis.Kletnieks at vt.edu Valdis.Kletnieks at vt.edu
Mon Mar 24 09:54:47 EDT 2014


On Mon, 24 Mar 2014 08:29:16 -0400, Chuck Anderson said:

> How about writing an RFC to define a well-known NTP anycast address
> and using that as a fallback?  This is a problem that needs to be
> solved for the larger internet community, not just CeroWRT/OpenWRT.

Using a well-known anycast address for NTP is somewhat problematic for security.
It's possible to secure anycast DNS using DNSSEC - but the NTP crypto isn't
suitable for securing an anycast mode.

Fortunately, for many use cases, we can probably rely on the upstream
provider to hand us an NTP server address in a DHCP extension.  If you're
willing to trust the *rest* of that DHCP response, you may as well trust the
NTP server it points you at.

I admit not having a clever idea for the non-DHCP case though...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 848 bytes
Desc: not available
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140324/5e3ba289/attachment.sig>


More information about the Cerowrt-devel mailing list