[Cerowrt-devel] DNSSEC & NTP Bootstrapping

Phil Pennock cerowrt-devel+phil at spodhuis.org
Mon Mar 24 15:12:03 EDT 2014 

On 2014-03-21 at 23:33 -0400, Joseph Swick wrote:
> I've been lurking for several months now on the list and I remember some
> discussion about trying to find acceptable methods for bootstrapping the
> local system time so that DNSSEC would work.

I raised this on the ntp-pool mailing-lists last year, looking for a
solution because of the chicken/egg bootstrap, with suggested approaches
and some trial scripts.  Eg:

  http://lists.ntp.org/pipermail/pool/2013-July/006569.html

For context, I'm currently running OpenWRT; attached is the
/etc/init.d/ntpdate which I'm using.  It relies upon having Python and
dig installed, as I haven't gotten around to building a small C utility
to do just this task, but perhaps the approach is useful enough that
someone else might do so?

In summary: if the current time is less than the timestamp on the
unbound-maintained copy of the root zone trust anchors, then bump the
time up at least that far, because we must be at >= that timestamp, and
this increases the odds that DNSSEC will validate if we haven't been
off-line for too long.

Then, for each hostname in the $STEP_SERVERS list (which could be
taken from ntp.conf or uci config or whatever, but here is just
hardcoded), I try to resolve IPv4 then IPv6, first with DNSSEC left
enabled, and then with DNSSEC disabled via `dig +cd`.  The first dig
command to return results is the one which is used.

The idea is to minimize the potential vulnerability of syncing to a bad
timesource, by using DNSSEC if it's available and works, after making
sure it has a reasonable chance of working if we've just rebooted, and
only if we've been off-line for some time do we fall back to insecure
DNS.

Make sure that the START value is appropriate for your systems; I've
found the OpenWRT defaults to be sufficiently broken that I stomp on
them on reinstall.  I run ntpdate once the network and firewall are up,
but just before ntpd and both of those well before other network
services which might depend upon time.

Regards,
-Phil
-------------- next part --------------
#!/bin/sh /etc/rc.common
# Copyright (C) 2006-2008 OpenWrt.org
# Copyright (C) 2013 Phil Pennock

START=60

STEP_SERVERS="0.openwrt.pool.ntp.org 1.openwrt.pool.ntp.org 2.openwrt.pool.ntp.org"
TIMEOUT="2" # in seconds
PRESEED_TIMESTAMP_FN="/etc/unbound/runtime/root.autokey"

# The core problem is that with DNSSEC, an invalid time prevents resolution
# of DNS, but we need DNS to be able to find time-servers to get a good time
# to be able to resolve DNS.
#
# We break out of this "Catch 22" situation by _trying_ normal DNS resolution,
# IPv4 and then IPv6, and only if those fail do we forcibly disable DNSSEC
# by using dig(1)'s +cd flag ("checking disabled"); trying normally first
# protects us against malicious DNS trying to point us to bad time-servers,
# if we've enough state that we _should_ already be protected.
#
# The "insecure" approach we regress to, as a last resort, is the same way
# the Internet functioned for decades.  There is a DoS+hijack attack path
# here, but if we don't have a good battery-backed clock to protect us, we
# don't have a better solution.

# Also, per a suggestion from Doug Calvert, we can use the timestamp of
# modification of the unbound root.key file itself as an approximate time.
# Unbound updates the file on every refresh, so it's not too far off.

preseed_approximate_time() {
	# Unfortunately, date(1) on OpenWRT can't parse the timestamp
	# output from ls.
	python -c '
import os, time, sys
fn=sys.argv[1]
min_time=os.stat(fn).st_ctime
if time.time() < min_time:
  want=time.strftime("%Y%m%d%H%M.%S", time.gmtime(min_time))
  os.system("date -u -s %s" % want)' "$PRESEED_TIMESTAMP_FN" > /dev/null
}

resolve_hostname_v4() {
# we use the grep both to filter out cname referrals and to detect empty
# results
	local hn="$1"
	shift
	dig +nodnssec +short "$@" -t a "$hn" | grep '^[0-9][0-9.]*$'
}

resolve_hostname_v6() {
	local hn="$1"
	shift
	dig +nodnssec +short "$@" -t aaaa "$hn" | grep -i '^[0-9a-f][0-9a-f.:]*$'
}

resolve_one_server() {
	local hn="$1"
	resolve_hostname_v4 $hn && return
	resolve_hostname_v6 $hn && return
	resolve_hostname_v4 $hn +cd && return
	resolve_hostname_v6 $hn +cd && return
}

resolve_step_servers() {
	local server ips
	for server in $STEP_SERVERS ; do
		resolve_one_server $server
	done
}

start() {
	preseed_approximate_time
	for s in $(resolve_step_servers) ; do
		/usr/sbin/ntpdate -s -b -u -t "$TIMEOUT" "$s" && break
	done
}
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 455 bytes
Desc: not available
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140324/57cf2f97/attachment.sig>

More information about the Cerowrt-devel mailing list