On Sep 10, 2013, at 8:17 PM, David Morris <dwm@xxxxxxxxx> wrote: > > > On Wed, 11 Sep 2013, Brian E Carpenter wrote: > >> On 11/09/2013 09:59, Olafur Gudmundsson wrote: >> ... >>> My colleagues and I worked on OpenWrt routers to get Unbound to work there, what you need to do is to start DNS up in non-validating mode >>> wait for NTP to fix time, then check if the link allows DNSSEC answers through, at which point you can enable DNSSEC validation. >> >> Hopefully you also flush the DNS cache as soon as NTP runs. Even so, >> paranoia suggests that a dodgy IP address might still be cached in >> some app. > > I think you can avoid that issue by having the device not pass traffic > until the DNSSEC validation is enabled. Only the device needs the special > permissive handling for this to work. > You mean only allow NTP and DNS traffic in the beginning, until checks are done? In many cases we can get a reasonable time by writing the current time to a NVRAM variable every 6 hours or so, but that only helps for reboot. Olafur