Re: my constraints paradox

Fri, 01 Mar 2019 00:47:51 -0800

It seems noone came forward for support of this.  I guess the effort then is not needed to put this
into OpenBSD/ntpd.  On a side note my dns server now does TSIG for axfr, notifies and queries if it's configured to do so.  To properly put it into openntpd would be about 2-3 days work I guess, if  the need-case comes up again (that's with code that checks a time response, which isn't really needed just to get a timestamp :-)). 

Thanks!

-peter

On 2/25/19 5:04 PM, Otto Moerbeek wrote:

On Mon, Feb 25, 2019 at 09:38:13AM +0100, Peter J. Philipp wrote:


Hi,

I'm currently working with TSIG (RFC 2845) on my project.  The idea came to me
to use it as a constraint to openntpd.  This would solve a paradox on my NUC
which does DNS in my apartment.  The NUC's BIND uses TSIG to question a
forwarder for DNS answers.  TSIG relies on time to be correct within a small
window (called a fudge).  So you see, the HTTPS constraints on the NUC would
never work if the time was off (thankfully it has a RTC), because it would
not be able to look up the name of the server.  It's an endless spiral if
not intervened (DNS does not work because of bad time, time does not get
updated because of DNS).

I already shared some TSIG work, three years ago, here:

https://marc.info/?l=openbsd-tech&m=145656997013119&w=2

And I can probably enhance that to cause a timecheck on the DNS server with
TSIG.

This would also be able for me to move the BIND closer to the router (currently
an octeon without RTC) and possibly have a second nameserver in the local LAN.

A TSIG is authenticated and I believe to get past BADKEY and BADSIG messages to
get BADTIME replies one has to configure a key.  Question is, does OpenBSD have
a need for something like that?   I can branch off my work that I'm currently
doing and spend some time on ntpd.

Regards,
-peter


I've done some work in a related area, bootstrapping ntpd while using
a DNSSEC enabled resolver. If the time is off, that does not work atm.
That work was never finished because of reasons.

But I think the TSIG use case is pretty limited. Who uses it other
than for zone transfers?

        -Otto
























					Reply via email to