DNSSEC validation without current time

Timothe Litt litt at acm.org
Mon Dec 18 13:44:11 UTC 2017 

On 18-Dec-17 01:07, Dave Warren wrote:
> On 2017-12-15 06:23, Petr Menšík wrote:
>>
>> Dne 15.12.2017 v 13:06 G.W. Haywood via bind-users napsal(a):
>>> Hi there,
>>>
>>> On Fri, 15 Dec 2017, Petr Men??k wrote:
>>>
>>>> ... current time is not available or can be inaccurate.
>>>
>>> ntpdate?
>>>
>> Sure, of course. What would be default host after installation, that can
>> be used in default installation image without manual configuration? And
>> how does it resolve that name, when date of the system is 1970-1-1 or
>> something a only a bit more accurate?
>>
>> Current pool.ntp.org adresses are unsigned now, so that would work
>> anyway. If I want spoof protection, what should I do?
>
> Do two passes. First: Use DNS without DNSSEC validation to obtain a
> list of NTP servers, and thereby determine the current time. Second:
> Use DNS with DNSSEC to obtain a list of (trusted) NTP servers, and
> verify the time.
>
> The second pass might detect the list of IPs has changed and bypass
> the second NTP pass as we now know the previous IPs were valid, but
> you must be prepared for DNS to return different IPs from a pool and
> to therefore re-verify the time -- We don't care if the IP list has
> changed, only that the time is valid.
>
> The only real challenge is to avoid letting anything else trust the
> time received in phase 1 until it has been validated by phase 2.
>

This proposal is involved, but doesn't seem to robustly solve the problem.

  * Pass 1 obtains "current time".  But you don't trust that the IP
    addresses of the NTP servers were correctly resolved.  So you don't
    trust this time.  However, you need a reasonably trustworthy time to
    bootstrap DNSSEC.  (On the order of minutes).  Else DNSSEC
    validation can fail.
  * If you're using the pools (and they resolve correctly), you're
    pretty much guaranteed that any two queries will produce a different
    set of servers.  So IP addresses will change.
  * If you use a reasonable number of NTP servers and NTP (not SNTP)
    protocol, invalid timekeepers will be sorted out.  NTP is quite
    robust, and expects some variance - including some malicious
    actors.  The reasonably recent versions with pool support will
    discard bad timekeepers and keep drawing from the pool until
    consensus is attained.  And again if it's lost (e.g. some go bad due
    to system or network failures.)  To fool NTP, you need to provide a
    number of bad time sources, synchronized closely enough for NTP to
    accept them.  This is non-trivial.  Suppose someone puts in that
    effort and succeeds.  What happens?  DNSSEC is the least of your
    problems.  Other breakage will be more subtle.  Like filesystem
    times being inconsistent and breaking CMS and other applications.
  * To prevent DNSSEC from working, time error has to be quite large. 
    All that's necessary is some approximation that's accurate within
    minutes.
  * Pass 2 requires "trusted" NTP servers.  If you have that list, why
    not resolve those names without validation in the first place?  You
    could assume that a hostile actor knows which names you resolve, and
    assume that they will substitute bad timekeepers.  But if they can
    do that, they can do the same for the pools' names.
  * What can bad time do to DNSSEC?  By rolling back, it could allow
    validation of an expired signature - but the attacker would have to
    be able to benefit from that.  Or it could prevent validation of a
    current signature (by making current time be outside the validity
    period).  Or it could prematurely force you to validate a published,
    but not yet active signature.  These amount to (at worst) denial of
    service. 

None of this is news.  See
https://tools.ietf.org/id/draft-mglt-dnsop-dnssec-validator-requirements-06.html#rfc.section.5


The bottom line is that you want accurate time.  And if you have
accurate time, DNSSEC will follow.  You also need to consider the threat
profile that you face - including the downside risks and costs of a defense.

Bootstrapping requires some reasonably accurate time source.  The
easiest way to get there is with a locally trusted source.  You can add
an RTC - again, here's one from Adafruit -
https://www.adafruit.com/product/3386 about $5 (US).  [Same
disclaimer.]  The RTCs (I haven't run this one) in general have poor
accuracy(2) - but if resynchronized with NTP time once in a while,
easily good enough to bootstrap DNSSEC.  The one I use (1) is good to
less than 1PPM with the help of some drift compensation that I put into
the utility that manages the clock.  [It's a replacement for 'hwclock'
that drives this RTC.]  (This reduces the jump when NTP starts, and
helps keep logs straight.  If you don't care about that, just update the
RTC from NTP time every week or two - that's more than sufficient for
DNSSEC & NTP bootstrap.)

Alternatively, as previously discussed, if you need the best (non PTP)
time, add a GPS receiver, with pool backup.

You can skip the DNS cyclic dependency completely if you have
locally-trusted NTP and DHCP servers - provide your clients with the NTP
server addresses via DHCP.  (They're sent as IP addresses, not names.) 
This isn't as hard as it appears.  If you run NTP on all your machines
(yes, there's NTP for windows), your Pi can get time from them.

Further, since you run your own DNS server - presumably within some
firewall - you can trust it to serve your local zones.  DNSSEC not
required.  If you include your local machines in your NTP
configurations, everything is under your control.  It then becomes a
sequencing issue only if your entire site goes down.   (If so, you want
your local master to be up first.  Otherwise, the rest will coast using
other NTP sources.)  If you're really serious, you run at least 3 local
clocks - preferably something like GPS, WWV (or other radio source), and
a local atomic (or at least, TXCO)  clock.  If you start looking at
failure scenarios, it gets more interesting.

As previously noted, startup scripts need to have the "right" definition
of "system time available" & dependencies for your applications
(including named) to start.

Because the draw minimal power (and so will run a long time with a
modest UPS), I use an RPi with GPS & some pool servers as my preferred
time source.  It boots using an RTC.  My edge router also runs NTP,
preferentially taking time from the RPi - but also configured with other
Public and local servers.  In case the RPi goes down, the local machines
also participate - the low latency and dispersion pretty much ensures
that they'll be taken over the public servers.  I may add another Pi
with another GPS and/or radio receiver, when I acquire enough round TUITs.

So, what to conclude?

  * If you have other machines in your local network, use them as NTP
    sources and provide the addresses to your RPi via DHCP.  This is
    cheapest and easiest.
  * If you don't need precise time (e.g. for purposes beyond DNSSEC),
    the next cheapest solution (in $ and time) is to just add an RTC.
  * If you also want precise time, but don't need it to be highly
    available, add a GPS.
  * For more availability, do both.  And possibly add other time sources
    (Radio, TCXO, geographically dispersed GPS, more RPis...).

In any case, let us know what you end up with.

Have fun!

(1) This isn't an expensive problem to solve.  My RPi's RTC (TOY) uses a
DS1302 - I got a bunch from e-bay for about $2 (including battery &
shipping).  I could publish the software if there's interest.


    rtc/rtc-ctl --show --debug
    TOY Clock registers as read (UTC):
    81: 57 RUN 57 sec
    83: 42     42 min
    85: 12 24H 12 hr
    87: 18     18 date
    89: 12     12 month
    8B: 02     02 weekday
    8D: 17     17 year
    8F: 80  WP ctl
    Applying drift correction of -28.370 PPM to 10869574.837 seconds
    (125d 19h 19m 35s) elapsed
    TOY    time is Mon Dec 18 2017 07:48:05     EST
    System time is Mon Dec 18 2017 07:48:07.234 EST
    Remaining offset is -2.234 sec (-0.206 PPM)

(2) 20 ppm is ~ one min/month.  Typical crystals can be 100 ppm or more
(depending on temperature & PCB layout), so 5 min/month.  TSIG fudge is
nominally 5 min, so resyncing every 1-2 weeks is close enough.  And also
close enough for sane DNSSEC configurations.  You can resync more often,
but it's a fair bit of bit-banging on a slow bus (I2C or SPI for most),
and there's no point.

Oh, why mention TSIG?  Because ... it's another time-sensitive part of
named, and often used for DHCP - DNS updates...

Timothe Litt
ACM Distinguished Engineer
--------------------------
This communication may not represent the ACM or my employer's views,
if any, on the matters discussed. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.isc.org/pipermail/bind-users/attachments/20171218/25988690/attachment.html>

More information about the bind-users mailing list