[Cerowrt-devel] DNSSEC & NTP Bootstrapping

David Personette dperson at gmail.com
Tue Mar 25 05:55:03 EDT 2014


# ll $(which nslookup)
lrwxrwxrwx    1 root     root            17 Mar 21 13:16 /usr/bin/nslookup
-> ../../bin/busybox

I'm not sure it's the old nslookup that we're thinking of...

-- 
David P.



On Mon, Mar 24, 2014 at 5:58 PM, Dave Taht <dave.taht at gmail.com> wrote:

> I ship dig as an optional package for cerowrt.
>
> I think it's in bind-tools or bind-utils. It is terribly big, but most
> people hae enough spare flash to have it.
>
> An
>
> opkg update
> opkg list | less
>
> will show you what is available.
>
> I will argue that nobody wants to add functionality to the primitive
> nsupdate....
>
> On Mon, Mar 24, 2014 at 1:27 PM, David Personette <dperson at gmail.com>
> wrote:
> > Phil,
> >
> > With the exception of the extra dependencies (dig and python), I like
> this.
> > I would suggest that if DNSSEC will be enabled, that nslookup (I think
> > that's the only command line resolver included by CeroWRT/OpenWRT base
> > installs) be extended to have a similar option as dig, to resolve without
> > DNSSEC.
> >
> > The only other issue I see is if the router is brought online before
> > internet access is available. If I read your code correctly, it will try
> 4
> > times per defined server (with and without DNSSEC for IPv4 and IPv6),
> then
> > exit. It either needs to keep trying until it succeeds, or be called
> every
> > time a connection comes up (shutting down NTPd prior and restarting
> after).
> >
> > Thanks.
> >
> > --
> > David P.
> >
> >
> >
> > On Mon, Mar 24, 2014 at 3:12 PM, Phil Pennock
> > <cerowrt-devel+phil at spodhuis.org> wrote:
> >>
> >> On 2014-03-21 at 23:33 -0400, Joseph Swick wrote:
> >> > I've been lurking for several months now on the list and I remember
> some
> >> > discussion about trying to find acceptable methods for bootstrapping
> the
> >> > local system time so that DNSSEC would work.
> >>
> >> I raised this on the ntp-pool mailing-lists last year, looking for a
> >> solution because of the chicken/egg bootstrap, with suggested approaches
> >> and some trial scripts.  Eg:
> >>
> >>   http://lists.ntp.org/pipermail/pool/2013-July/006569.html
> >>
> >> For context, I'm currently running OpenWRT; attached is the
> >> /etc/init.d/ntpdate which I'm using.  It relies upon having Python and
> >> dig installed, as I haven't gotten around to building a small C utility
> >> to do just this task, but perhaps the approach is useful enough that
> >> someone else might do so?
> >>
> >> In summary: if the current time is less than the timestamp on the
> >> unbound-maintained copy of the root zone trust anchors, then bump the
> >> time up at least that far, because we must be at >= that timestamp, and
> >> this increases the odds that DNSSEC will validate if we haven't been
> >> off-line for too long.
> >>
> >> Then, for each hostname in the $STEP_SERVERS list (which could be
> >> taken from ntp.conf or uci config or whatever, but here is just
> >> hardcoded), I try to resolve IPv4 then IPv6, first with DNSSEC left
> >> enabled, and then with DNSSEC disabled via `dig +cd`.  The first dig
> >> command to return results is the one which is used.
> >>
> >> The idea is to minimize the potential vulnerability of syncing to a bad
> >> timesource, by using DNSSEC if it's available and works, after making
> >> sure it has a reasonable chance of working if we've just rebooted, and
> >> only if we've been off-line for some time do we fall back to insecure
> >> DNS.
> >>
> >> Make sure that the START value is appropriate for your systems; I've
> >> found the OpenWRT defaults to be sufficiently broken that I stomp on
> >> them on reinstall.  I run ntpdate once the network and firewall are up,
> >> but just before ntpd and both of those well before other network
> >> services which might depend upon time.
> >>
> >> Regards,
> >> -Phil
> >>
> >> #!/bin/sh /etc/rc.common
> >> # Copyright (C) 2006-2008 OpenWrt.org
> >> # Copyright (C) 2013 Phil Pennock
> >>
> >> START=60
> >>
> >> STEP_SERVERS="0.openwrt.pool.ntp.org 1.openwrt.pool.ntp.org
> >> 2.openwrt.pool.ntp.org"
> >> TIMEOUT="2" # in seconds
> >> PRESEED_TIMESTAMP_FN="/etc/unbound/runtime/root.autokey"
> >>
> >> # The core problem is that with DNSSEC, an invalid time prevents
> >> resolution
> >> # of DNS, but we need DNS to be able to find time-servers to get a good
> >> time
> >> # to be able to resolve DNS.
> >> #
> >> # We break out of this "Catch 22" situation by _trying_ normal DNS
> >> resolution,
> >> # IPv4 and then IPv6, and only if those fail do we forcibly disable
> DNSSEC
> >> # by using dig(1)'s +cd flag ("checking disabled"); trying normally
> first
> >> # protects us against malicious DNS trying to point us to bad
> >> time-servers,
> >> # if we've enough state that we _should_ already be protected.
> >> #
> >> # The "insecure" approach we regress to, as a last resort, is the same
> way
> >> # the Internet functioned for decades.  There is a DoS+hijack attack
> path
> >> # here, but if we don't have a good battery-backed clock to protect us,
> we
> >> # don't have a better solution.
> >>
> >> # Also, per a suggestion from Doug Calvert, we can use the timestamp of
> >> # modification of the unbound root.key file itself as an approximate
> time.
> >> # Unbound updates the file on every refresh, so it's not too far off.
> >>
> >> preseed_approximate_time() {
> >>         # Unfortunately, date(1) on OpenWRT can't parse the timestamp
> >>         # output from ls.
> >>         python -c '
> >> import os, time, sys
> >> fn=sys.argv[1]
> >> min_time=os.stat(fn).st_ctime
> >> if time.time() < min_time:
> >>   want=time.strftime("%Y%m%d%H%M.%S", time.gmtime(min_time))
> >>   os.system("date -u -s %s" % want)' "$PRESEED_TIMESTAMP_FN" > /dev/null
> >> }
> >>
> >> resolve_hostname_v4() {
> >> # we use the grep both to filter out cname referrals and to detect empty
> >> # results
> >>         local hn="$1"
> >>         shift
> >>         dig +nodnssec +short "$@" -t a "$hn" | grep '^[0-9][0-9.]*$'
> >> }
> >>
> >> resolve_hostname_v6() {
> >>         local hn="$1"
> >>         shift
> >>         dig +nodnssec +short "$@" -t aaaa "$hn" | grep -i
> >> '^[0-9a-f][0-9a-f.:]*$'
> >> }
> >>
> >> resolve_one_server() {
> >>         local hn="$1"
> >>         resolve_hostname_v4 $hn && return
> >>         resolve_hostname_v6 $hn && return
> >>         resolve_hostname_v4 $hn +cd && return
> >>         resolve_hostname_v6 $hn +cd && return
> >> }
> >>
> >> resolve_step_servers() {
> >>         local server ips
> >>         for server in $STEP_SERVERS ; do
> >>                 resolve_one_server $server
> >>         done
> >> }
> >>
> >> start() {
> >>         preseed_approximate_time
> >>         for s in $(resolve_step_servers) ; do
> >>                 /usr/sbin/ntpdate -s -b -u -t "$TIMEOUT" "$s" && break
> >>         done
> >>
> >> }
> >>
> >> _______________________________________________
> >> Cerowrt-devel mailing list
> >> Cerowrt-devel at lists.bufferbloat.net
> >> https://lists.bufferbloat.net/listinfo/cerowrt-devel
> >>
> >
> >
> > _______________________________________________
> > Cerowrt-devel mailing list
> > Cerowrt-devel at lists.bufferbloat.net
> > https://lists.bufferbloat.net/listinfo/cerowrt-devel
> >
>
>
>
> --
> Dave Täht
>
> Fixing bufferbloat with cerowrt:
> http://www.teklibre.com/cerowrt/subscribe.html
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140325/08749526/attachment-0002.html>


More information about the Cerowrt-devel mailing list