IETF Logo Mail Archive

Re: [DNSOP] Practical issues deploying DNSSEC into the home.

David Morris <dwm@xpasc.com> Fri, 13 September 2013 05:11 UTC

Return-Path: <dwm@xpasc.com>
X-Original-To: ietf@ietfa.amsl.com
Delivered-To: ietf@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id E95E711E810F; Thu, 12 Sep 2013 22:11:21 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.953
X-Spam-Level:
X-Spam-Status: No, score=-1.953 tagged_above=-999 required=5 tests=[AWL=-0.646, BAYES_00=-2.599, MISSING_HEADERS=1.292]
Received: from mail.ietf.org ([12.22.58.30]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id YdpK+ikKmHpJ; Thu, 12 Sep 2013 22:11:16 -0700 (PDT)
Received: from c2w3p-2.abacamail.com (c2w3p-2.abacamail.com [209.133.53.32]) by ietfa.amsl.com (Postfix) with ESMTP id 34A8E11E810E; Thu, 12 Sep 2013 22:11:16 -0700 (PDT)
Received: from xpasc.com (h-68-164-244-188.snva.ca.megapath.net [68.164.244.188]) by c2w3p-2.abacamail.com (Postfix) with ESMTP id 9B2653F92E; Fri, 13 Sep 2013 05:11:15 +0000 (UTC)
Received: from egate.xpasc.com (egate.xpasc.com [10.1.2.49]) by xpasc.com (8.13.8/8.13.8) with ESMTP id r8D5BFmF005051; Thu, 12 Sep 2013 22:11:15 -0700
Date: Thu, 12 Sep 2013 22:11:15 -0700
From: David Morris <dwm@xpasc.com>
Subject: Re: [DNSOP] Practical issues deploying DNSSEC into the home.
In-Reply-To: <41F30C20-31A2-45C2-A51F-E6F3DAAB7ACA@ogud.com>
Message-ID: <alpine.LRH.2.01.1309122206280.2662@egate.xpasc.com>
References: <CAGhGL2APj-XfuMUHgLsELnZRbRNCLrjMBxFBtcg4zx+5SG7Bag@mail.gmail.com> <3C96E4A9-7E78-421F-A437-7091AEBEB5AA@ogud.com> <522FA892.4020806@gmail.com> <alpine.LRH.2.01.1309101714300.7801@egate.xpasc.com> <41F30C20-31A2-45C2-A51F-E6F3DAAB7ACA@ogud.com>
User-Agent: Alpine 2.01 (LRH 1266 2009-07-14)
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset="US-ASCII"
X-Milter-Version: master.87-g7939dec
X-AV-Type: clean
X-AV-Accuracy: exact
Cc: "dnsop@ietf.org WG" <dnsop@ietf.org>, "ietf@ietf.org TF" <ietf@ietf.org>
X-BeenThere: ietf@ietf.org
X-Mailman-Version: 2.1.12
Precedence: list
Reply-To: ietf@ietf.org
List-Id: IETF-Discussion <ietf.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ietf>, <mailto:ietf-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ietf>
List-Post: <mailto:ietf@ietf.org>
List-Help: <mailto:ietf-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ietf>, <mailto:ietf-request@ietf.org?subject=subscribe>
X-List-Received-Date: Fri, 13 Sep 2013 05:11:22 -0000

On Wed, 11 Sep 2013, Olafur Gudmundsson wrote:

> 
> On Sep 10, 2013, at 8:17 PM, David Morris <dwm@xpasc.com> wrote:
> 
> > 
> > 
> > On Wed, 11 Sep 2013, Brian E Carpenter wrote:
> > 
> >> On 11/09/2013 09:59, Olafur Gudmundsson wrote:
> >> ...
> >>> My colleagues and I worked on OpenWrt routers to get Unbound to work there, what you need to do is to start DNS up in non-validating mode
> >>> wait for NTP to fix time, then check if the link allows DNSSEC answers through, at which point you can enable DNSSEC validation.
> >> 
> >> Hopefully you also flush the DNS cache as soon as NTP runs. Even so,
> >> paranoia suggests that a dodgy IP address might still be cached in
> >> some app.
> > 
> > I think you can avoid that issue by having the device not pass traffic
> > until the DNSSEC validation is enabled. Only the device needs the special
> > permissive handling for this to work.
> > 
> 
> You mean only allow NTP and DNS traffic in the beginning, until checks are done? 
> In many cases we can get a reasonable time by writing the current time to a NVRAM variable every 6 hours or so, but that
> only helps for reboot. 

No, I mean that the Home class gateway device would not accept any
traffic for it's inside network until it has DNSSEC validation and
related NTP setup was completed. This would extend the apparent boot
time a small amount of time relative to other components of the boot
sequence. By not allowing thru traffic, I think the concern about
DNS results being cached on the inside network would be a non-issue.
And the gateway device controls its own cache so flushing it should
not be an issue

v2.30.2 | Report a Bug | By Email | System Status