On Mon, Apr 14, 2014 at 02:07:07PM +0200, Juan Orti Alcaine wrote: > One thing I would like to note is that in machines which don't have > a hardware clock, I had problems starting bind and unbound, because > the date was back to 1970 in each boot, so the root dns key was not > yet valid and there were no valid dns resolvers to update time by > ntp. I had to hardcode some ntp servers IP addresses to perform the > ntp queries at boot time. > > This was using the OpenWrt distro in a mips router, I don't know if > we can face this kind of problem in ARM machines. I guess all x86 > have hardware clock, doesn't they?
The NTP Bootstrapping problem is well known. There is an effort to deal with that here (in the context of dnsmasq DNSSEC on OpenWRT/CeroWRT): http://comments.gmane.org/gmane.comp.embedded.cerowrt.devel/2244 Search for the word "prototype" to find a description of one implementation. "The nice thing about this switch to dnsmasq is that it does validation of the chain, just ignoring validity times; which presumably would make it harder to exploit as you'd need an actual valid key, rather than just be able to spoof the packets reply of the non-validated query.." There are many other ideas in that thread. -- devel mailing list devel@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/devel Fedora Code of Conduct: http://fedoraproject.org/code-of-conduct
