NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ntpdate(8) and unbound(8) dependencies during boot

Sad Clouds <> writes:

>> Is it reasonable/feasible to have unbound lighten up on the tight time
>> requirement?
> You can make adjustments in unbound.conf
>        val-sig-skew-min: <seconds>
>        val-sig-skew-max: <seconds>
> but what exactly is a reasonable time skew? Ideally you'd want to keep
> it as small as possible, otherwise you open yourself to replay attacks,
> etc. It's not just unbound, I think any DNS resolver implementing
> DNSSEC would have such limits. 

I think reasonable is in the eye of the beholder, balancing the security
goodness from tight replay protection and the pain of trouble when the
clock is wrong.

It seems fairly clear that 1 day is not a good choice for systems that
don't have reliable clocks.

Arguably, for systems that want this replay protection in DNSSEC, they
need to not allow ntpdate or large steps, because those are based on
unauthenticated data.

So perhaps unbound should default to what it does now, normally, and to
30 days if the system reports (via the sysctl I proposed) that there is
no TOD clock.

I wonder what anyone's plan is for configuring authentication on NTP by
default? (that's really hard)

Attachment: signature.asc
Description: PGP signature

Home | Main Index | Thread Index | Old Index