Re: [dhcwg] DNSSEC in names vs. numbers for NTP server information in DHCP
Danny Mayer <mayer@ntp.org> Wed, 28 November 2007 04:24 UTC
Return-path: <dhcwg-bounces@ietf.org>
Received: from [127.0.0.1] (helo=stiedprmman1.va.neustar.com) by megatron.ietf.org with esmtp (Exim 4.43) id 1IxETa-0000eA-2F; Tue, 27 Nov 2007 23:24:42 -0500
Received: from [10.91.34.44] (helo=ietf-mx.ietf.org) by megatron.ietf.org with esmtp (Exim 4.43) id 1IxETZ-0000e4-6L for dhcwg@ietf.org; Tue, 27 Nov 2007 23:24:41 -0500
Received: from mx04.gis.net ([208.218.130.12]) by ietf-mx.ietf.org with esmtp (Exim 4.43) id 1IxETY-0000eq-PS for dhcwg@ietf.org; Tue, 27 Nov 2007 23:24:41 -0500
Received: from [10.10.10.101] ([63.209.224.211]) by mx04.gis.net; Tue, 27 Nov 2007 23:24:18 -0500
Message-ID: <474CECCD.6090707@ntp.org>
Date: Tue, 27 Nov 2007 23:21:33 -0500
From: Danny Mayer <mayer@ntp.org>
User-Agent: Thunderbird 2.0.0.9 (Windows/20071031)
MIME-Version: 1.0
To: shane_kerr@isc.org
Subject: Re: [dhcwg] DNSSEC in names vs. numbers for NTP server information in DHCP
References: <474CB98F.7050603@isc.org>
In-Reply-To: <474CB98F.7050603@isc.org>
Content-Type: text/plain; charset="ISO-8859-1"
Content-Transfer-Encoding: 7bit
X-Spam-Score: -0.0 (/)
X-Scan-Signature: 82c9bddb247d9ba4471160a9a865a5f3
Cc: ntpwg@lists.ntp.org, dhcwg@ietf.org
X-BeenThere: dhcwg@ietf.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: dhcwg.ietf.org
List-Unsubscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=unsubscribe>
List-Post: <mailto:dhcwg@ietf.org>
List-Help: <mailto:dhcwg-request@ietf.org?subject=help>
List-Subscribe: <https://www1.ietf.org/mailman/listinfo/dhcwg>, <mailto:dhcwg-request@ietf.org?subject=subscribe>
Errors-To: dhcwg-bounces@ietf.org
Shane Kerr wrote: > All, > > I was reading the long, long, long thread(s) about putting NTP information into > DHCP, and the focus on whether DHCP servers should provide names or IP addresses > for NTP servers. > > It occurs to me that DNSSEC requires accurate time. So, we have a bit of a > bootstrapping issue if we ever decide to secure DNS zones that contain NTP > servers in them and expect clients to use the server names to find them. > > It seems like we have to provide IP addresses for NTP servers for this reason. > I'm not sure which hat to wear on this one. The first question is 1) how accurate? Within 5 minutes like TSIG? 2) I assume that this is both ends relative to each other? We always had a bootstrapping issue. It's only now becoming obvious. I had mentioned this in a previous message. One way of avoiding the accurate time issue is to use a refclock on the system and have NTP get its time from there. There are actually three different parts of this: 1) DNS Servers using DNSSEC for the zone in which they are authorative These will have static IP addresses and DHCP would presumably not be involved (though no doubt can provide other data). I would expect that it would be set up manually to have ntpd to use servers specified by the sysadmin. 2) Caching DNSSEC-aware servers These are presumably the servers responsible for supplying the answers to the ultimate clients. These would also presumably have static IP addresses and not use DHCP. They too could be manually configured to use NTP from their own resources but could conceivably get information from DHCP servers. 3) The clients themselves using a DNSSEC-enabled resolver. These are likely to be provisioned with IP addresses, DNS server addresses, etc. and presumably get their information from DHCP. These clients are the most vunerable since presumably the NTP server would be provisioned by DHCP which would need to make sure that they receive authenticated data. That's the chicken and egg problem since they presumably need an accurate time before communicating with the DHCP server to get information about the NTP server addresses to use. If you are concerned enough to use DNSSEC you presumably are concerned enough to use only authenticatable NTP servers and that means using autokey protocol (now in IETF draft). That requires a key and it needs to be distributed OOB. The key could potentially be distributed by DHCP but you also need to protect the key from modification in flight which presumably needs DHCP authenticationc and encryption if that's the distribution method. The trick here is to figure out which piece to set up first. Ideas? Danny _______________________________________________ dhcwg mailing list dhcwg@ietf.org https://www1.ietf.org/mailman/listinfo/dhcwg
- [dhcwg] DNSSEC in names vs. numbers for NTP serve… Shane Kerr
- [dhcwg] Re: [ntpwg] DNSSEC in names vs. numbers f… Harlan Stenn
- Re: [dhcwg] DNSSEC in names vs. numbers for NTP s… Masataka Ohta
- Re: [dhcwg] DNSSEC in names vs. numbers for NTP s… Danny Mayer
- Re: [dhcwg] DNSSEC in names vs. numbers for NTP s… David W. Hankins
- [dhcwg] Re: [ntpwg] DNSSEC in names vs. numbers f… David L. Mills
- Re: [ntpwg] [dhcwg] DNSSEC in names vs. numbers f… TS Glassey
- Re: [ntpwg] [dhcwg] DNSSEC in names vs. numbers f… TS Glassey