On Sep 10, 2013, at 8:17 PM, David Morris <[email protected]> wrote:
>
>
> On Wed, 11 Sep 2013, Brian E Carpenter wrote:
>
>> On 11/09/2013 09:59, Olafur Gudmundsson wrote:
>> ...
>>> My colleagues and I worked on OpenWrt routers to get Unbound to work there,
>>> what you need to do is to start DNS up in non-validating mode
>>> wait for NTP to fix time, then check if the link allows DNSSEC answers
>>> through, at which point you can enable DNSSEC validation.
>>
>> Hopefully you also flush the DNS cache as soon as NTP runs. Even so,
>> paranoia suggests that a dodgy IP address might still be cached in
>> some app.
>
> I think you can avoid that issue by having the device not pass traffic
> until the DNSSEC validation is enabled. Only the device needs the special
> permissive handling for this to work.
>
You mean only allow NTP and DNS traffic in the beginning, until checks are
done?
In many cases we can get a reasonable time by writing the current time to a
NVRAM variable every 6 hours or so, but that
only helps for reboot.
Olafur
