[systemd-devel] timesyncd, dnssec
David Timothy Strauss
david at davidstrauss.net
Wed May 21 23:12:41 PDT 2014
On Wed, May 21, 2014 at 5:48 AM, Jason A. Donenfeld <Jason at zx2c4.com> wrote:
> Temporary work around is to hard code IPs into NTP.
It'd be neat to do the following:
(1) Do a DNS lookup for NTP servers, fetching DNSSec information.
(2) If a signature/clock sync issue is the only barrier to validating
the response, still use the response for the next couple steps.
(3) Fetch time from the NTP servers, but only use it to validate the
DNS response signatures.
(4) If the signature now checks out, sync the local clock to the data.
Code could ship minimum timestamps to accept in step #3, thereby
ensuring that malicious, replayed responses are never older than the
release itself. This is superior to shipping fixed IPs because this
algorithm ensures the IPs are *at least* as fresh as the release
rather than *exactly* as fresh as the release.
It's a shame that there's no provision in DNSSec for a server creating
custom-signed responses based on a client nonce, just for this sort of
case. That would only require the ability to generate one-time values,
even if it's just a MAC address plus a counter. Might be an easy way
to DoS attack DNS servers, though, by breaking through caches and
forcing lots of signing work. Wouldn't work with servers supporting
only offline signing, either.
More information about the systemd-devel
mailing list