[Cerowrt-devel] DNSSEC & NTP Bootstrapping

Phil Pennock cerowrt-devel+phil at spodhuis.org
Mon Mar 24 17:30:17 EDT 2014

On 2014-03-24 at 16:27 -0400, David Personette wrote:
> With the exception of the extra dependencies (dig and python), I like this.

Thanks -- that's about my stance too.  It helps prove the algorithm and
approach, but needs to be rewritten as a small tool.

> The only other issue I see is if the router is brought online before
> internet access is available. If I read your code correctly, it will try 4
> times per defined server (with and without DNSSEC for IPv4 and IPv6), then
> exit. It either needs to keep trying until it succeeds, or be called every
> time a connection comes up (shutting down NTPd prior and restarting after).

True -- a small tool which can be put into the interfaces up script
would work well.  I'm on a rather stable FiOS connection, so it's not
been an issue for me, which is why I'm still on the bloated version I
have -- it works.

Here's about what I have in mind; the ntpsrv stratum check and the
restart ntpd ourselves bits are beyond what's in the proof-of-concept
script, which is what I've been using on my home router since last July
or so (OpenWRT backfire and then later attitude adjustment).

  Usage: update-time-securely [-n ntpsrv] [-r reffile] [-t dnstimeout] hostnames...

Assume ntpsrv is, send a control packet equivalent to sysinfo,
check stratum.  If stratum is present and less than some cut-off (10?
Most free-wheeling modes use 12 or greater, right?) then we're done.  If
no response or stratum too high, ntpd is eligible for nuking.

Use the reference file as the trust anchor from dnsmasq/unbound; handle
the file given being a symlink and ensure the ctime of the file pointed
to (to handle it being a link which package management can point at
dnsmasq or unbound's config).  If clocktime is less then the timestamp
on that file (less a concurrency jitter) then time is Wrong.  Nuke ntpd
now, force time to step up-to that value, syslog it (before and after).

Try to resolve the hostnames, all together, A and AAAA concurrently.  If
we get any results, use those.  If we get no results, try again but with
the CD flag set in the DNS queries.

If we got results from the DNS resolution, nuke ntpd if it wasn't
already nuked.  Invoke ntpdate to set the time, accept the default
values and cut-offs for adjtime vs settimeofday.

If we nuked ntpd, start it again ourselves.  We can use a capture of
/proc/$oldpid/cmdline to get the command-line to invoke, or it can be a
flag option, or an option to use a magic exit code to indicate to the
caller that ntpd should now be started.

More information about the Cerowrt-devel mailing list