Re: [dhcwg] [ntpwg] Fwd: New Version Notification for draft-ogud-dhc-udp-time-option-01.txt

Olafur Gudmundsson <> Mon, 02 December 2013 13:47 UTC

Return-Path: <>
Received: from localhost ( []) by (Postfix) with ESMTP id BFD211AE476 for <>; Mon, 2 Dec 2013 05:47:06 -0800 (PST)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.9
X-Spam-Status: No, score=-1.9 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=ham
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id tWjrFOPRXnpG for <>; Mon, 2 Dec 2013 05:47:04 -0800 (PST)
Received: from ( []) by (Postfix) with ESMTP id CA1BA1AE474 for <>; Mon, 2 Dec 2013 05:47:04 -0800 (PST)
Received: from localhost (localhost.localdomain []) by (SMTP Server) with ESMTP id 7B9DF50326; Mon, 2 Dec 2013 08:47:02 -0500 (EST)
X-Virus-Scanned: OK
Received: by (Authenticated sender: with ESMTPSA id F16D55031A; Mon, 2 Dec 2013 08:47:01 -0500 (EST)
Content-Type: text/plain; charset=iso-8859-1
Mime-Version: 1.0 (Mac OS X Mail 6.6 \(1510\))
From: Olafur Gudmundsson <>
In-Reply-To: <>
Date: Mon, 2 Dec 2013 08:47:01 -0500
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <> <>
X-Mailer: Apple Mail (2.1510)
Cc: NTP Working Group <>, " WG" <>, Hal Murray <>, Ted Lemon <>, Bernie Volz <>
Subject: Re: [dhcwg] [ntpwg] Fwd: New Version Notification for draft-ogud-dhc-udp-time-option-01.txt
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 02 Dec 2013 13:47:07 -0000

On Dec 2, 2013, at 12:27 AM, Danny Mayer <> wrote:

> On 12/1/2013 11:47 PM, Hal Murray wrote:
>> Does DNS using DNSSEC return a specific error code for time-invalid?  Or just 
>> a generic didn't-work?
>> How close does the time have to be for DNSSEC to work?
> That's a question that should be asked in the dnsext WG mailing list
> (though technically the Working Group is now closed). Olafur and I
> (apart from Ted who is IETF area director) are probably the only ones on
> these lists who participate in that mailing list. Olafur was one of the
> cochairs of the DNS ext working group.
> The document does not describe the DNSSEC requirements for accurate time
> and probably should so that it can be assessed in that light.
> The ones I know about are RRSIG inception time and expiration time and
> then there are certificate expiration date-times.
> The proposal seems to suggest that a timestamp in 64-bit time_t be
> distributed by DHCP. I'm not sure why not a NTP timestamp instead.
> However most systems running a DNS server is likely to have a static
> address in the first place and that is what DHCP distributes as
> nameservers to query. Since they use static addresses do they
> participate in DHCP services at all? And who says that the DHCP server
> itself has accurate time?

Danny, Thanks for the kind introduction 

The reason for time_t is the dhcp-client can feed that directly into following call:
	 settimeofday(const struct timeval *tp, const struct timezone *tzp)

If there is better construct I wold be happy to update the draft with that. 

Be careful when you say "most systems running a DNS server" 
are you talking about resolver or authoritative server.  

In the second case you are right they are static and frequently well provisioned with good bandwidth, and 
at boot time the system has good idea why the current time is, but for all practical purposes unless they are signing
on the fly they do not need accurate time. 

ON THE OTHER HAND, resolvers and X.509 certificate checking is distributed and can take 
place on any device. As I said in another message DNS resolution is being pushed to the edge 
as devices that migrate between networks cannot count on the "local resolvers" to be "DNSSEC ready" 

You are right we can not count on the DHCP server to have good time, thus any DHCP server answering 
with the proposed option would need to make sure it has "decent current time", that is the reason I say in the
draft that the time should be within 10 minutes. 
When playing with cheap home routers I discovered that the devices can easily drift an hour a day, if NTP is not
invoked regularly, most of these devices just use 'ntpdate' and frequently run it from startup script once. 

>> Could this problem be solved by setting up a bank of NTP servers at well 
>> known IP Addresses?  Say, one next to each root DNS server.  If you tried to 
>> do that, I'd expect a serious problem would be overload because idiots would 
>> try to use them for normal NTP use rather than just getting off the ground.  
>> It might be possible to discourage that by making them return crappy time.
> No, it would just overwhelm them. See the NIST time servers for an
> example of heavy load.
>> said:
>>> As for the home router use model, it may be that what you really want is for
>>> the home router to query for an FQDN-only DHCP option from the ISP DHCP
>>> server, and then resolve that FQDN and respond to DHCP clients on the
>>> homenet with an IP address.   Since the FQDN is not hard-coded, and the IP
>>> address is (one hopes) resolved either at query time or when its TTL
>>> expires, this ought to prevent a repeat of the firmware burn-in incident. 
>> Most ISPs already provide DNS servers for their customers.  How do their IP 
>> address get setup in home routers?  Could NTP servers piggyback on that 
>> mechanism if ISPs also provided NTP servers?
> I wish they would provide NTP services in the same way. Unfortunately
> although most ISP's will have NTP servers they do not usually tell their
> customers about them and they certainly do not provide authenticated
> packets like autokey.
> Danny

Will a hotel network provide NTP server, and would you trust it? 
Will a coffee shop provide NTP server ???