Bug 1134 - DNSSEC validation to for embedded devices without a power off real time clock
DNSSEC validation to for embedded devices without a power off real time clock
Product: unbound
Classification: Unclassified
Component: server
All All
: P5 enhancement
Assigned To: unbound team
Depends on:
  Show dependency treegraph
Reported: 2016-10-25 03:14 CEST by Eric Luehrsen
Modified: 2016-10-25 13:52 CEST (History)
2 users (show)

See Also:


Note You need to log in before you can comment on or make changes to this bug.
Description Eric Luehrsen 2016-10-25 03:14:07 CEST
Unbound is light enough to use on consumer grade routers to give power users the ability to operate their own recursive server. Consumers having issues with their ISP imposing non-regulatory censorship or worse snoop-vertising techniques may find Unbound useful. DNSSEC is critical to prevent this recursive process from being subverted also. However, these devices have one issue where the power off real time clock is cost saved out. With Unbound, the only way around this is complex scripts or to permanently "domain-inseruce: <my.favorite-ntp.org>." The popular dnsmasq while only being a stub resolver has two clever means to solve this. They could also be useful for Unbound:

(1) With such an option set, perform DNSSEC without the time component for some time after Unbound starts. When the local system has good time, it can issue SIGUSR signal to Unbound. Unbound will flush cache and then perform full DNSSEC.

(2) With another option, perform DNSSEC without the time component... Monitor a file like /var/lib/unbound/unbound.time. When system time is newer than "unbound.time" file-date, flush cache and perform full DNSSEC. Side note: The typical script in /etc/init.d/ could touch the file with explicit offset to be 1-5 minutes in the future, in case reboot time (youngest file in rootfs) is relatively recent.

(3) Create option "initial-domain-insecure:" where a user can put their ntp server. This path does DNSSEC but ignores time. Like option one, the NTP daemon can issue a script with SIGUSR to Unbound. Only the "initial-domain-insecure:" cache and dependencies are flushed, and resumes full DNSSEC. All other domains remain full DNSSEC during the window, and will fail validation until.
Comment 1 Wouter Wijngaards 2016-10-25 13:33:21 CEST
Hi Eric,

These are very interesting ideas.  Perhaps the user mailing list (unbound-users) could also provide a discussion ground (or perhaps nobody is interested).

3 is probably bad because it makes the system bogus (servfail) for too long.  The customer wants to use the internet.  Believe me, from dnssec-trigger bugreports, 3 minutes of servfail is like an eternity, 10 seconds 'very nasty'.

Thus, something that makes the system work.  Without proper time.  Not sure, apart from an 'ignore time' option.  I could make such an option, make unbound-control capable of set_option (and get_option) the ignore-time at runtime.  (Without flushing cache).  And then the scripts on the machine can figure out what they want (ignore time / flush caches ...).

Other than that; you could rdate the time at startup perhaps?  From the datetime service?  Unbound-host can use a different config file and could be used without dnssec-validation to support the datetime service?

Best regards, Wouter
Comment 2 Wouter Wijngaards 2016-10-25 13:52:46 CEST
Hi Eric,

The tool turns out to already exist, but not allow runtime change, I have coded to allow runtime change.

Use unbound-control .. -- set_option val-override-date: -1   (with -- to ignore the -1 as an option flag).  This ignores dates in validation until you set to '0' when it'll do the normal thing again.  You can also set the val-override-date in the unbound.conf at -1 and then at runtime set it to 0 when time is available again.

The code is repository that allows unbound to set_option the override date at runtime

Best regards, Wouter