On Sep 10, 2013, at 6:45 PM, Evan Hunt <[email protected]> wrote:
> On Tue, Sep 10, 2013 at 05:59:52PM -0400, Olafur Gudmundsson wrote:
>> My colleagues and I worked on OpenWrt routers to get Unbound to work
>> there, what you need to do is to start DNS up in non-validating mode wait
>> for NTP to fix time, then check if the link allows DNSSEC answers
>> through, at which point you can enable DNSSEC validation.
>
> That's roughly what we did with BIND on OpenWrt/CeroWrt as well. We
> also discussed hacking NTP to set the CD bit on its initial DNS queries,
> but I don't think any of the code made it upstream.
>
Not sure if this will work in all cases, as a paranoid resolver might
only ignore the CD bit for the actual answer not for the DNS records needed
to navigate to the answer.
> My real recommendation would be to run an NTP pool in an anycast cloud of
> well-known v4 and v6 addresses guaranteed to be reliable over a period of
> years. NTP could then fall back to those addresses if unable to look up the
> server it was configured to use. DNS relies on a well-known set of root
> server addresses for bootstrapping; I don't see why NTP shouldn't do the
> same.
>
This is something worth suggesting, and
> (Actually... the root nameservers could *almost* provide a workable time
> tick for bootstrapping purposes right now: the SOA record for the root
> zone encodes today's date in the serial number. So you do the SOA lookup,
> set your system clock, attempt validation; on failure, set the clock an
> hour forward and try again; on success, use NTP to fine-tune. Klugey! :) )
>
> -
RRSIG on the SOA or NS or DNSKEY also is fine timestamp except when it is a
replay attack or a forgery,
Olafur
