DNSSEC validation without current time

Dave Warren dw at thedave.ca
Mon Dec 18 23:31:37 UTC 2017


On 2017-12-18 06:44, Timothe Litt wrote:
> 
> On 18-Dec-17 01:07, Dave Warren wrote:
>> On 2017-12-15 06:23, Petr Menšík wrote:
>>>
>>> Dne 15.12.2017 v 13:06 G.W. Haywood via bind-users napsal(a):
>>>> Hi there,
>>>>
>>>> On Fri, 15 Dec 2017, Petr Men??k wrote:
>>>>
>>>>> ... current time is not available or can be inaccurate.
>>>>
>>>> ntpdate?
>>>>
>>> Sure, of course. What would be default host after installation, that can
>>> be used in default installation image without manual configuration? And
>>> how does it resolve that name, when date of the system is 1970-1-1 or
>>> something a only a bit more accurate?
>>>
>>> Current pool.ntp.org adresses are unsigned now, so that would work
>>> anyway. If I want spoof protection, what should I do?
>>
>> Do two passes. First: Use DNS without DNSSEC validation to obtain a 
>> list of NTP servers, and thereby determine the current time. Second: 
>> Use DNS with DNSSEC to obtain a list of (trusted) NTP servers, and 
>> verify the time.
>>
>> The second pass might detect the list of IPs has changed and bypass 
>> the second NTP pass as we now know the previous IPs were valid, but 
>> you must be prepared for DNS to return different IPs from a pool and 
>> to therefore re-verify the time -- We don't care if the IP list has 
>> changed, only that the time is valid.
>>
>> The only real challenge is to avoid letting anything else trust the 
>> time received in phase 1 until it has been validated by phase 2.
>>
> 
> This proposal is involved, but doesn't seem to robustly solve the problem.
> 
>   * Pass 1 obtains "current time".  But you don't trust that the IP
>     addresses of the NTP servers were correctly resolved.  So you don't
>     trust this time.  However, you need a reasonably trustworthy time to
>     bootstrap DNSSEC.  (On the order of minutes).  Else DNSSEC
>     validation can fail.

Right, this is the whole point and why it works. If either DNS or NTP is 
malicious, pass 2's DNSSEC validation fails and we know we don't yet 
have valid time.


>   * If you're using the pools (and they resolve correctly), you're
>     pretty much guaranteed that any two queries will produce a different
>     set of servers.  So IP addresses will change.

DNS caching may provide the same IP addresses. It is irrelevant as this 
is just an optimization which fails gracefully, or can be skipped entirely.


>   * Pass 2 requires "trusted" NTP servers.  If you have that list, why
>     not resolve those names without validation in the first place?  You
>     could assume that a hostile actor knows which names you resolve, and
>     assume that they will substitute bad timekeepers.  But if they can
>     do that, they can do the same for the pools' names.

I think that this is the whole point -- There is no hardcoded list of 
trusted NTP servers. We need to obtain the list from DNS (pass 1) and 
verify that the list can be trusted using DNSSEC (pass 2).


More information about the bind-users mailing list