DNSSEC validation without current time
Petr Menšík
pemensik at redhat.com
Fri Dec 15 11:45:11 UTC 2017
Hi folks.
I am looking for a way to validate name also on systems, where current
time is not available or can be inaccurate.
This is related to booting with NTP client, when the only configuration
is hostname that has to be resolved. There is a bit circle dependencies.
First current time is required for DNSSEC validator to verify signatures
of all keys. However that is hard to maintain on systems without RTC
clock running when it is down. Raspberry PI is example of such system.
Until hostname is known, time cannot be synchronized and corrected to
real value. They sort of depend on each other. The only secure way I
found is to hardcode IP address into NTP client or obtain IP from other
trusted source (DHCP?).
Available option is of course to disable validation until valid time is
received. It seems to me that is unnecessary lowering the security. I
would like some option to limit checking validity period of used keys
instead. Just validate existing keys from trust anchor and trust the
last key that can validate. I think that is far better than no
verification at all.
Is it possible to do that in BIND? Maybe bootstrap verification could be
done only with delv tool with time-checking disabled. I found no way to
do that. Is there good reason why it is not available? Is better method
for solving secure configuration of timeless system available?
--
Petr Menšík
Software Engineer
Red Hat, http://www.redhat.com/
email: pemensik at redhat.com PGP: 65C6C973
More information about the bind-users
mailing list