DNSSEC validation without current time
Dave Warren
dw at thedave.ca
Mon Dec 18 06:07:41 UTC 2017
On 2017-12-15 06:23, Petr Menšík wrote:
>
> Dne 15.12.2017 v 13:06 G.W. Haywood via bind-users napsal(a):
>> Hi there,
>>
>> On Fri, 15 Dec 2017, Petr Men??k wrote:
>>
>>> ... current time is not available or can be inaccurate.
>>
>> ntpdate?
>>
> Sure, of course. What would be default host after installation, that can
> be used in default installation image without manual configuration? And
> how does it resolve that name, when date of the system is 1970-1-1 or
> something a only a bit more accurate?
>
> Current pool.ntp.org adresses are unsigned now, so that would work
> anyway. If I want spoof protection, what should I do?
Do two passes. First: Use DNS without DNSSEC validation to obtain a list
of NTP servers, and thereby determine the current time. Second: Use DNS
with DNSSEC to obtain a list of (trusted) NTP servers, and verify the time.
The second pass might detect the list of IPs has changed and bypass the
second NTP pass as we now know the previous IPs were valid, but you must
be prepared for DNS to return different IPs from a pool and to therefore
re-verify the time -- We don't care if the IP list has changed, only
that the time is valid.
The only real challenge is to avoid letting anything else trust the time
received in phase 1 until it has been validated by phase 2.
More information about the bind-users
mailing list