On Sep 10, 2013, at 6:45 PM, Evan Hunt <each(_at_)isc(_dot_)org> wrote:
On Tue, Sep 10, 2013 at 05:59:52PM -0400, Olafur Gudmundsson wrote:
My colleagues and I worked on OpenWrt routers to get Unbound to work
there, what you need to do is to start DNS up in non-validating mode wait
for NTP to fix time, then check if the link allows DNSSEC answers
through, at which point you can enable DNSSEC validation.
That's roughly what we did with BIND on OpenWrt/CeroWrt as well. We
also discussed hacking NTP to set the CD bit on its initial DNS queries,
but I don't think any of the code made it upstream.
Not sure if this will work in all cases, as a paranoid resolver might
only ignore the CD bit for the actual answer not for the DNS records needed
to navigate to the answer.
My real recommendation would be to run an NTP pool in an anycast cloud of
well-known v4 and v6 addresses guaranteed to be reliable over a period of
years. NTP could then fall back to those addresses if unable to look up the
server it was configured to use. DNS relies on a well-known set of root
server addresses for bootstrapping; I don't see why NTP shouldn't do the
same.
This is something worth suggesting, and
(Actually... the root nameservers could *almost* provide a workable time
tick for bootstrapping purposes right now: the SOA record for the root
zone encodes today's date in the serial number. So you do the SOA lookup,
set your system clock, attempt validation; on failure, set the clock an
hour forward and try again; on success, use NTP to fine-tune. Klugey! :) )
-
RRSIG on the SOA or NS or DNSKEY also is fine timestamp except when it is a
replay attack or a forgery,
Olafur