On 2017-12-18 06:44, Timothe Litt wrote:
On 18-Dec-17 01:07, Dave Warren wrote:
On 2017-12-15 06:23, Petr Menšík wrote:
Dne 15.12.2017 v 13:06 G.W. Haywood via bind-users napsal(a):
Hi there,
On Fri, 15 Dec 2017, Petr Men??k wrote:
... current time is not available or can be inaccurate.
ntpdate?
Sure, of course. What would be default host after installation, that can
be used in default installation image without manual configuration? And
how does it resolve that name, when date of the system is 1970-1-1 or
something a only a bit more accurate?
Current pool.ntp.org adresses are unsigned now, so that would work
anyway. If I want spoof protection, what should I do?
Do two passes. First: Use DNS without DNSSEC validation to obtain a
list of NTP servers, and thereby determine the current time. Second:
Use DNS with DNSSEC to obtain a list of (trusted) NTP servers, and
verify the time.
The second pass might detect the list of IPs has changed and bypass
the second NTP pass as we now know the previous IPs were valid, but
you must be prepared for DNS to return different IPs from a pool and
to therefore re-verify the time -- We don't care if the IP list has
changed, only that the time is valid.
The only real challenge is to avoid letting anything else trust the
time received in phase 1 until it has been validated by phase 2.
This proposal is involved, but doesn't seem to robustly solve the problem.
* Pass 1 obtains "current time". But you don't trust that the IP
addresses of the NTP servers were correctly resolved. So you don't
trust this time. However, you need a reasonably trustworthy time to
bootstrap DNSSEC. (On the order of minutes). Else DNSSEC
validation can fail.
Right, this is the whole point and why it works. If either DNS or NTP is
malicious, pass 2's DNSSEC validation fails and we know we don't yet
have valid time.
* If you're using the pools (and they resolve correctly), you're
pretty much guaranteed that any two queries will produce a different
set of servers. So IP addresses will change.
DNS caching may provide the same IP addresses. It is irrelevant as this
is just an optimization which fails gracefully, or can be skipped entirely.
* Pass 2 requires "trusted" NTP servers. If you have that list, why
not resolve those names without validation in the first place? You
could assume that a hostile actor knows which names you resolve, and
assume that they will substitute bad timekeepers. But if they can
do that, they can do the same for the pools' names.
I think that this is the whole point -- There is no hardcoded list of
trusted NTP servers. We need to obtain the list from DNS (pass 1) and
verify that the list can be trusted using DNSSEC (pass 2).
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
