Friday, March 01, 2019

Re: my constraints paradox

It seems noone came forward for support of this.  I guess the effort
then is not needed to put this

into OpenBSD/ntpd.  On a side note my dns server now does TSIG for axfr,
notifies and queries if it's configured to do so.  To properly put it
into openntpd would be about 2-3 days work I guess, if  the need-case
comes up again (that's with code that checks a time response, which
isn't really needed just to get a timestamp :-)).

Thanks!

-peter

On 2/25/19 5:04 PM, Otto Moerbeek wrote:
> On Mon, Feb 25, 2019 at 09:38:13AM +0100, Peter J. Philipp wrote:
>
>> Hi,
>>
>> I'm currently working with TSIG (RFC 2845) on my project. The idea came to me
>> to use it as a constraint to openntpd. This would solve a paradox on my NUC
>> which does DNS in my apartment. The NUC's BIND uses TSIG to question a
>> forwarder for DNS answers. TSIG relies on time to be correct within a small
>> window (called a fudge). So you see, the HTTPS constraints on the NUC would
>> never work if the time was off (thankfully it has a RTC), because it would
>> not be able to look up the name of the server. It's an endless spiral if
>> not intervened (DNS does not work because of bad time, time does not get
>> updated because of DNS).
>>
>> I already shared some TSIG work, three years ago, here:
>>
>> https://marc.info/?l=openbsd-tech&m=145656997013119&w=2
>>
>> And I can probably enhance that to cause a timecheck on the DNS server with
>> TSIG.
>>
>> This would also be able for me to move the BIND closer to the router (currently
>> an octeon without RTC) and possibly have a second nameserver in the local LAN.
>>
>> A TSIG is authenticated and I believe to get past BADKEY and BADSIG messages to
>> get BADTIME replies one has to configure a key. Question is, does OpenBSD have
>> a need for something like that? I can branch off my work that I'm currently
>> doing and spend some time on ntpd.
>>
>> Regards,
>> -peter
>>
> I've done some work in a related area, bootstrapping ntpd while using
> a DNSSEC enabled resolver. If the time is off, that does not work atm.
> That work was never finished because of reasons.
>
> But I think the TSIG use case is pretty limited. Who uses it other
> than for zone transfers?
>
> -Otto

No comments:

Post a Comment