[Cerowrt-devel] DNSSEC & NTP Bootstrapping -- prototype!

Dave Taht dave.taht at gmail.com
Sun Mar 30 12:59:51 EDT 2014

On Sun, Mar 30, 2014 at 6:21 AM, Toke Høiland-Jørgensen <toke at toke.dk> wrote:
> Dave Taht <dave.taht at gmail.com> writes:
>> Well I strongly favor less interdependency between ntp, a monitoring
>> script, and dnsmasq.
> Well, the reverse dependency (i.e. the modification of the ntpd startup
> script) is not strictly needed, so the dependency could be made to be
> one-way (it kinda is already). Also, in case ntpd is missing it's quite
> easy to just bail out and start dnsmasq in full validation mode.
> The nice thing about this switch to dnsmasq is that it does validation
> of the chain, just ignoring validity times; which presumably would make
> it harder to exploit as you'd need an actual valid key, rather than just
> be able to spoof the packets reply of the non-validated query...
>> I'd kind of like some sort of check on validating the dns roots, if it
>> fails due to the time being wrong, disable dnssec and wait for clock
>> slew.
> Well conceivably you could be in a situation where the roots validate,
> but validation fails further down the chain, making that scheme fail in
> weird and unpredictable ways?



>> Another other alternative is a ntp that does a query with the
>> authenticate bit off, all the time.

> This would involve teaching the uclibc resolver about the CD bit and
> expose it in the resolver API I think. Can look into how difficult this
> actually is to do; with the caveat that I'm not exactly an expert on
> such code :P

> Also, see above re: validation modes.
>> On Sat, Mar 29, 2014 at 2:21 PM, Michael Richardson <mcr at sandelman.ca> wrote:
>>> This process needs to be written up as an IETF BCP.
> I'll be happy to write something up once we actually settle on something :)
> -Toke

Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

More information about the Cerowrt-devel mailing list