DNSSEC validation without current time
Mukund Sivaraman
muks at isc.org
Fri Dec 15 12:44:32 UTC 2017
On Fri, Dec 15, 2017 at 12:45:11PM +0100, Petr Menšík wrote:
> Hi folks.
>
> I am looking for a way to validate name also on systems, where current
> time is not available or can be inaccurate.
I use a Garmin 18x LVC 1pps GPS receiver device connected to RS-232
serial port. The device plus cables cost me $70 altogether, and ntpd
works natively with it using the NMEA refclock driver (there's no need
of gpsd). It has a 1s PPS signal accurate to 1us. It is accurate to
within +/- 100us on Fedora where due to no hardpps kernel support
because of tickless kernel, the PPS signal is timestamped and available
on /dev/pps0 but the kernel doesn't use it to directly maintain the
clock and it has to be done from userland which is affected by the
system load. If you were to recompile a kernel that's configured
appropriately, I feel the clock can be synchronized to about 1us
accuracy.
It is more or less reliable and value for $70 if one wants UTC on their
computer without accessing the internet. This is more than sufficient
for DNSSEC validation and many other network services, and certainly
more accurate than using the ntp.org pools.
Mukund
More information about the bind-users
mailing list