IETF Logo Mail Archive

Re: [DNSOP] Practical issues deploying DNSSEC into the home.

Glen Wiley <glen.wiley@gmail.com> Fri, 13 September 2013 21:33 UTC

Return-Path: <glen.wiley@gmail.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 592CA21F94FA; Fri, 13 Sep 2013 14:33:50 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.598
X-Spam-Level:
X-Spam-Status: No, score=-2.598 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, HTML_MESSAGE=0.001]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id cgwfQ3oNL3sH; Fri, 13 Sep 2013 14:33:49 -0700 (PDT)
Received: from mail-yh0-x232.google.com (mail-yh0-x232.google.com [IPv6:2607:f8b0:4002:c01::232]) by ietfa.amsl.com (Postfix) with ESMTP id 481AB21F9473; Fri, 13 Sep 2013 14:33:49 -0700 (PDT)
Received: by mail-yh0-f50.google.com with SMTP id a41so846125yho.23 for <multiple recipients>; Fri, 13 Sep 2013 14:33:48 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=subject:mime-version:content-type:from:in-reply-to:date:cc :message-id:references:to; bh=Nd3T/JXwwGtrkdgnO89BTuQXgRGDyJ06WFC9fir3jbA=; b=qpMbwE5oB2jNCjWm+A7JyNbPS6MqXp+DECVhETdc3j4Y6l7b3P1DmFePTwmKlcl8/v AXyvt4B+dtH+LTKsAjJKTrjxg/xiSndtA9Clh2qYYVJOxP/HT4FW4zUX4p0tlWAKcl9L D8DwOZi7/YmHvlu24KBpRRp/IUnvoxtoHn/6Ox8dWcA2YybiKxv34qbx/wc1YBVA/0x0 j99+WGcMwom+X7NAcLn/d23uOVGMxrZKv7+j06TJ+iQmPodPJcK+3EaFfMu+UX9bPEse LvQGTM7ZN7g5vlbZjgHk+rLO3WAvsRSMxeSBstlwQrhrvkyfqwsycXoCEF4IaPQwpvtO UZsw==
X-Received: by 10.236.127.5 with SMTP id c5mr14532830yhi.42.1379108028704; Fri, 13 Sep 2013 14:33:48 -0700 (PDT)
Received: from [192.168.1.114] (c-24-125-242-219.hsd1.va.comcast.net. [24.125.242.219]) by mx.google.com with ESMTPSA id u66sm15609801yhd.24.1969.12.31.16.00.00 (version=TLSv1 cipher=ECDHE-RSA-RC4-SHA bits=128/128); Fri, 13 Sep 2013 14:33:47 -0700 (PDT)
Subject: Re: [DNSOP] Practical issues deploying DNSSEC into the home.
Mime-Version: 1.0 (Apple Message framework v1085)
Content-Type: multipart/alternative; boundary="Apple-Mail-8--778617105"
From: Glen Wiley <glen.wiley@gmail.com>
In-Reply-To: <CAJ1+nORZwf-Nh1M_xC4Hn-MWmvgCmg-S6N0w-iAtzhg89MyVvw@mail.gmail.com>
Date: Fri, 13 Sep 2013 17:33:44 -0400
Message-Id: <E0584AD1-7DC7-45F6-B908-1AAA8462DB46@gmail.com>
References: <CAGhGL2APj-XfuMUHgLsELnZRbRNCLrjMBxFBtcg4zx+5SG7Bag@mail.gmail.com> <3C96E4A9-7E78-421F-A437-7091AEBEB5AA@ogud.com> <20130910224518.GA99190@isc.org> <CAJ1+nORZwf-Nh1M_xC4Hn-MWmvgCmg-S6N0w-iAtzhg89MyVvw@mail.gmail.com>
To: robert bownes <bownes@web9.com>
X-Mailer: Apple Mail (2.1085)
X-Mailman-Approved-At: Mon, 16 Sep 2013 08:49:27 -0700
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, "ietf@ietf.org TF" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Sep 2013 21:33:50 -0000

This discussion highlights the importance of making sure that hardware vendors understand the need for working clocks that can be easily bootstrapped.  In addition to NTP radio clock receivers are ubiquitous, tiny and ridiculously cheap.  It is unconscionable that any consumer electronics are sold today that boast a visible clock without including a radio clock receiver!  This doesn't fix the mountain of already deployed SOHO gear, but it is time for vendors that know better (Cisco, Netgear, D-Link, etc.) to do the right thing.

I put entropy in a similar class of problem as radio clock receivers.  There are a number of reasonable sources for entropy that take up virtually no PCB space and can be built with a few discrete components (thinking of quantum effects between 2 transistor gates or zener breakdown noise on a zener diode).  Stronger entropy sources get expensive - but something that provides reasonable entropy for light crypto should be available on SOHO class network gear.

On Sep 12, 2013, at 2:19 PM, robert bownes wrote:

> 
> Chiming in a bit late here, however, the availability of stratum 1 clocks and stratum 2 class time data on non IP and/or non interconnected networks is now so large, I question why one would run NTP outside of the building in many cases, certainly in an enterprise of any size.
> 
> A 1pulse per second aligned to GPS is good to a few ns. Fairly straightforward to plug into even a OpenWrt type of router. Turn on the pps in NTP on the router and you are good to go. 
> 
> 
> 
> 
> 
> On Tue, Sep 10, 2013 at 6:45 PM, Evan Hunt <each@isc.org> wrote:
> On Tue, Sep 10, 2013 at 05:59:52PM -0400, Olafur Gudmundsson wrote:
> > My colleagues and I worked on OpenWrt routers to get Unbound to work
> > there, what you need to do is to start DNS up in non-validating mode wait
> > for NTP to fix time, then check if the link allows DNSSEC answers
> > through, at which point you can enable DNSSEC validation.
> 
> That's roughly what we did with BIND on OpenWrt/CeroWrt as well.  We
> also discussed hacking NTP to set the CD bit on its initial DNS queries,
> but I don't think any of the code made it upstream.
> 
> My real recommendation would be to run an NTP pool in an anycast cloud of
> well-known v4 and v6 addresses guaranteed to be reliable over a period of
> years. NTP could then fall back to those addresses if unable to look up the
> server it was configured to use.  DNS relies on a well-known set of root
> server addresses for bootstrapping; I don't see why NTP shouldn't do the
> same.
> 
> (Actually... the root nameservers could *almost* provide a workable time
> tick for bootstrapping purposes right now: the SOA record for the root
> zone encodes today's date in the serial number.  So you do the SOA lookup,
> set your system clock, attempt validation; on failure, set the clock an
> hour forward and try again; on success, use NTP to fine-tune. Klugey! :) )
> 
> --
> Evan Hunt -- each@isc.org
> Internet Systems Consortium, Inc.
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop
> 
> _______________________________________________
> DNSOP mailing list
> DNSOP@ietf.org
> https://www.ietf.org/mailman/listinfo/dnsop

v2.30.2 | Report a Bug | By Email | System Status