On 2017-12-15 06:23, Petr Menšík wrote:
Dne 15.12.2017 v 13:06 G.W. Haywood via bind-users napsal(a):
Hi there,
On Fri, 15 Dec 2017, Petr Men??k wrote:
... current time is not available or can be inaccurate.
ntpdate?
Sure, of course. What would be default host after installation, that can
be used in default installation image without manual configuration? And
how does it resolve that name, when date of the system is 1970-1-1 or
something a only a bit more accurate?
Current pool.ntp.org adresses are unsigned now, so that would work
anyway. If I want spoof protection, what should I do?
Do two passes. First: Use DNS without DNSSEC validation to obtain a list
of NTP servers, and thereby determine the current time. Second: Use DNS
with DNSSEC to obtain a list of (trusted) NTP servers, and verify the time.
The second pass might detect the list of IPs has changed and bypass the
second NTP pass as we now know the previous IPs were valid, but you must
be prepared for DNS to return different IPs from a pool and to therefore
re-verify the time -- We don't care if the IP list has changed, only
that the time is valid.
The only real challenge is to avoid letting anything else trust the time
received in phase 1 until it has been validated by phase 2.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe
from this list
bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
