[Cerowrt-devel] DNSSEC & NTP Bootstrapping -- prototype!

Robert Bradley robert.bradley1 at gmail.com
Mon Mar 31 13:26:10 EDT 2014

On 31/03/2014 13:42, Robert Bradley wrote:
> There is a val_getaddrinfo() available in libval which is based on
> http://tools.ietf.org/html/draft-hayatnagarkar-dnsext-validator-api-09#section-3.2
> if we want to go down that route.
> The validation in that case is done entirely outside dnsmasq (with the
> CD bit set on the libval queries).  We have libval available already but
> not installed, so that is not a problem.  Implementing this in BusyBox
> and sysntpd may be a bit of an issue though.

I have a *very* rough implementation of this at
https://github.com/rb12345/busybox (ntpd-dnssec branch), based on
busybox HEAD.  However, this is completely untested at this point.  This
patch requires the libval and libsres libraries to operate and
introduces a new ENABLE_FEATURE_DNSSEC flag/config option.  When
enabled, the internal str2sockaddr/val_str2sockaddr function will always
validate DNSSEC signatures using the libval library.  The nice thing
about this is that if it works, upstream ISP support for DNSSEC is
unnecessary since all the queries and responses are performed locally. 
The downside is that everything in busybox that uses str2sockaddr is now
forced to do recursive DNSSEC lookups.

Robert Bradley

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 899 bytes
Desc: OpenPGP digital signature
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140331/a85e6e7a/attachment.sig>

More information about the Cerowrt-devel mailing list