DNSSEC validation without current time

Timothe Litt litt at acm.org
Fri Dec 15 15:10:03 UTC 2017

On 15-Dec-17 07:44, Mukund Sivaraman wrote:

On Fri, Dec 15, 2017 at 12:45:11PM +0100, Petr Menšík wrote:
>> Hi folks.
>> I am looking for a way to validate name also on systems, where current
>> time is not available or can be inaccurate.
> I use a Garmin 18x LVC 1pps GPS receiver device connected to RS-232
> serial port. The device plus cables cost me $70 altogether, and ntpd
> works natively with it using the NMEA refclock driver (there's no need
> of gpsd). It has a 1s PPS signal accurate to 1us. It is accurate to
> within +/- 100us on Fedora where due to no hardpps kernel support
> because of tickless kernel, the PPS signal is timestamped and available
> on /dev/pps0 but the kernel doesn't use it to directly maintain the
> clock and it has to be done from userland which is affected by the
> system load.  If you were to recompile a kernel that's configured
> appropriately, I feel the clock can be synchronized to about 1us
> accuracy.
> It is more or less reliable and value for $70 if one wants UTC on their
> computer without accessing the internet. This is more than sufficient
> for DNSSEC validation and many other network services, and certainly
> more accurate than using the ntp.org pools.
> 		Mukund
I use an 19xLVC too (On Raspbian == Debian).  But I also have an RTC. 
GPS does have outages,  can take a while to get a fix, and NTP wants
consensus.  So I use my GPS receiver as a local clock source
(preferred), but also configure several servers from the pools as a
sanity check - and to deal with any GPS outages/slow starts.  It's
worked well for me.

Along those lines, I haven't splurged yet, but Adafruit has an
interesting module for ~$40 (US)  with a breakout module, ($45 on a Pi
Hat - which is cheaper/easier than building your own PCB), which
includes a GPS patch antenna.  If you need an external antenna, it comes
up to about the cost of the Garmin, but draws only 20ma vs. 90, and is a
more modern receiver.)   On paper it looks good.

See https://www.adafruit.com/?q=ultimate%20gps - I'm not affiliated with
Adafruit, and while I've looked at the specs, don't have direct
experience.  YMMV.


Timothe Litt
ACM Distinguished Engineer
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20171215/578fa40c/attachment.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4577 bytes
Desc: S/MIME Cryptographic Signature
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20171215/578fa40c/attachment.bin>

More information about the bind-users mailing list