IETF Logo Mail Archive

Re: [Ntp] Circular dependencies

Mark Andrews <marka@isc.org> Wed, 11 November 2020 23:01 UTC

Return-Path: <marka@isc.org>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id AA17C3A11CC for <ntp@ietfa.amsl.com>; Wed, 11 Nov 2020 15:01:41 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.897
X-Spam-Level:
X-Spam-Status: No, score=-1.897 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_MSPIKE_H3=0.001, RCVD_IN_MSPIKE_WL=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, URIBL_BLOCKED=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 5RjReHLnj4Wh for <ntp@ietfa.amsl.com>; Wed, 11 Nov 2020 15:01:40 -0800 (PST)
Received: from mx.pao1.isc.org (mx.pao1.isc.org [149.20.64.53]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 670633A11C9 for <ntp@ietf.org>; Wed, 11 Nov 2020 15:01:40 -0800 (PST)
Received: from zmx1.isc.org (zmx1.isc.org [149.20.0.20]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx.pao1.isc.org (Postfix) with ESMTPS id 617AE3AB00C; Wed, 11 Nov 2020 23:01:39 +0000 (UTC)
Received: from zmx1.isc.org (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTPS id 5528A160043; Wed, 11 Nov 2020 23:01:39 +0000 (UTC)
Received: from localhost (localhost [127.0.0.1]) by zmx1.isc.org (Postfix) with ESMTP id 42310160085; Wed, 11 Nov 2020 23:01:39 +0000 (UTC)
Received: from zmx1.isc.org ([127.0.0.1]) by localhost (zmx1.isc.org [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id gANRUIwwQf1H; Wed, 11 Nov 2020 23:01:39 +0000 (UTC)
Received: from [1.0.0.3] (n114-75-120-99.bla3.nsw.optusnet.com.au [114.75.120.99]) by zmx1.isc.org (Postfix) with ESMTPSA id 86F22160043; Wed, 11 Nov 2020 23:01:38 +0000 (UTC)
Content-Type: text/plain; charset="us-ascii"
Mime-Version: 1.0 (Mac OS X Mail 11.5 \(3445.9.7\))
From: Mark Andrews <marka@isc.org>
In-Reply-To: <CACsn0c=Xu31KyHu8+uq+fKBMVRt+YaJGZCfSn2ph1WXfm2atHw@mail.gmail.com>
Date: Thu, 12 Nov 2020 10:01:36 +1100
Cc: NTP WG <ntp@ietf.org>
Content-Transfer-Encoding: 7bit
Message-Id: <59FB7533-A156-438A-B395-A4D255651EAA@isc.org>
References: <CACsn0c=Xu31KyHu8+uq+fKBMVRt+YaJGZCfSn2ph1WXfm2atHw@mail.gmail.com>
To: Watson Ladd <watsonbladd@gmail.com>
X-Mailer: Apple Mail (2.3445.9.7)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/DtHzkx8XLsKfjFuL-pyJ2tQAgY4>
Subject: Re: [Ntp] Circular dependencies
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 11 Nov 2020 23:01:42 -0000


> On 12 Nov 2020, at 04:21, Watson Ladd <watsonbladd@gmail.com> wrote:
> 
> Dear NTP WG,
> 
> I just realized there is a mailing list bug report that's a lot more
> interesting than it seems. They have a DNSSEC validating resolver and
> were using an NTP daemon to set the clock (and the RTC was busted) But
> the time is needed to verify liveness of the signatures for DNSSEC to
> validate, and without the names don't resolve, including the NTP
> server names.

If you have no idea of the current time just verify the signatures
ignoring the time stamps.  That is significantly better than no
verification at all.  The timestamps are there to prevent replay
attacks.  Just ask for the records and signatures (DO=1) and do your
own DNSSEC validation.  There are libraries out there that can do this
for you.

Back when I was using a machine w/o a real time clock and just power
line frequency to maintain time we touched a file in the root directory
every minute so that when the machine rebooted it would not be too far
off current time.

DNSSEC just needs to know the rough time.  Implementations already build
slack into the inception timestamp.  We all know there is clock skew in
the real world.  BIND sets it to a hour in the past by default when
generating signatures.

> This is probably a bigger issue with NTS, as certs with IP addresses
> are harder to get. Roughtime can use its own keys, but does still rely
> on the DNS often, so it won't necessarily be a solution. Any ideas?
> 
> Sincerely,
> Watson Ladd
> 
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka@isc.org

v2.23.0 | Report a Bug | By Email