On Sep 10, 2013, at 6:45 PM, Evan Hunt <each@xxxxxxx> wrote: > On Tue, Sep 10, 2013 at 05:59:52PM -0400, Olafur Gudmundsson wrote: >> My colleagues and I worked on OpenWrt routers to get Unbound to work >> there, what you need to do is to start DNS up in non-validating mode wait >> for NTP to fix time, then check if the link allows DNSSEC answers >> through, at which point you can enable DNSSEC validation. > > That's roughly what we did with BIND on OpenWrt/CeroWrt as well. We > also discussed hacking NTP to set the CD bit on its initial DNS queries, > but I don't think any of the code made it upstream. > Not sure if this will work in all cases, as a paranoid resolver might only ignore the CD bit for the actual answer not for the DNS records needed to navigate to the answer. > My real recommendation would be to run an NTP pool in an anycast cloud of > well-known v4 and v6 addresses guaranteed to be reliable over a period of > years. NTP could then fall back to those addresses if unable to look up the > server it was configured to use. DNS relies on a well-known set of root > server addresses for bootstrapping; I don't see why NTP shouldn't do the > same. > This is something worth suggesting, and > (Actually... the root nameservers could *almost* provide a workable time > tick for bootstrapping purposes right now: the SOA record for the root > zone encodes today's date in the serial number. So you do the SOA lookup, > set your system clock, attempt validation; on failure, set the clock an > hour forward and try again; on success, use NTP to fine-tune. Klugey! :) ) > > - RRSIG on the SOA or NS or DNSKEY also is fine timestamp except when it is a replay attack or a forgery, Olafur