DNSSEC validating resolver on machines without RTC or wrong date

Petr Menšík pemensik at redhat.com
Thu Apr 20 12:50:01 UTC 2023

I have a feeling you have something personal against me, but cannot 
remember we ever discussed. Your responses seem to me a bit over-reacted 
and I do not understand why. More below.

On 20. 04. 23 1:24, Fred Morris via Unbound-users wrote:
> "Pulling yourself up by your bootstraps" is never going to be pretty, 
> although it can be entertaining (I'm picturing Jerry Lewis or Dick Van 
> Dyke on the Carol Burnett show).
I don't follow, do not care about actors name in TV shows anyway.
> On Wed, 19 Apr 2023, Petr Menšík via Unbound-users wrote:
>> If you add this into /etc/hosts, then you could instead just use 
>> fixed address(es) in NTP service instead of a name. The use of DNS is 
>> good, because you can change it on server only and clients will 
>> notice that soon.
>> If you hardcode IP address or address for the name, then there is no 
>> reason to use the name anymore. A comment above IP addresses would be 
>> just as good.
> There are clearly options. 8)
There always are.
>> On 16. 04. 23 15:43, tito via Unbound-users wrote:
>>>  On Sun, 16 Apr 2023 09:19:13 -0400
>>>  James Cloos via Unbound-users <unbound-users at lists.nlnetlabs.nl> 
>>> wrote:
>>>>>>>>>  "FMvU" == Fred Morris via Unbound-users
>>>>>>>>>  <unbound-users at lists.nlnetlabs.nl> writes:
>>>> FMvU>  This is where it starts to go off the rails for me. I mean: 
>>>> where?
>>>> FMvU>  Someplace which is neither configured a fixed address or 
>>>> FMvU>  provisioned
>>>> FMvU>  with DHCP... and yet is connected to the internet: where is 
>>>> that?
>>>>  he means a fixed ip for the ntp server, not for the client.
>>>>  -JimC
>>>  Hi,
>>>  couldn't this be added to /etc/hosts?
> DNSSEC requires accurate time (as does TSIG). Without going into the 
> sprawling, messy details (they're everywhere!) it's because The DNS is 
> a global resource.
> DNS the protocol, operating locally in a controlled environment, 
> arguably doesn't need DNSSEC at all. Today. Not yesterday. Today; and 
> tomorrow. (Not sure about the day after that.)
I do not agree with your result. I think DNSSEC can be useful even on 
end devices like laptops, maybe even phones. Already, today. But I admit 
preparing system to have DNSSec enabled by default has its challenges. 
Especially broken forwarders are still not rare enough. I think DANE can 
still be useful on common end devices. Therefore I am looking for way to 
make it possible. Do not want to enforce it anywhere, just possible.
> Bootstrapping is a messy thing, and it often requires doing things at 
> one stage which are countermanded / replaced / nullified at a later 
> stage. Like that keyboard, or a disk, or network card, needing a 
> driver loaded before the "real" boot.
> In a containerized environment, /etc/hosts could indeed be edited in 
> the image by the host OS prior to booting the image. OTOH it could 
> certainly have an initial value which points to a local resource to 
> start with. Lots of options here, some much more complicated or 
> sophisticated (not interested in saying anything here is a "problem" 
> thereby in need of a patented "solution").
I doubt containerized environment need to solve time setting, because 
the host is responsible to provide it. Makes sense it has done it well 
enough before starting any containers. Also the host should be doing dns 
cache, not every container, IMHO. It seems to me you are referring more 
to server world, where I am looking more at end user devices systems.
> I helped build a malware sandbox which ran malware which was most def 
> interested in learning as much as possible about its operating 
> environment. Needless to say, we were successful. We did it with 
> adversarial payloads, and you (generic traditional rhetorical plural) 
> can't do it when presented with an environment which is purpose built 
> to help you succeed? I find it puzzling... at least, excepting 
> misfeasance and malfeasance.
I am afraid I do not follow here.
> I still want to understand more about "what boot environment does 
> this?" but this is not a DNS question. I totally get that a device 
> could boot a real OS without having a real clock. Why can't someone 
> propose a real environment as a reference model to center and pin this 
> discussion?
> -- 
> Fred Morris

Take an example of Fedora distribution image prepared to run on 
Raspberry PI device. Let's say I would like to use that device as a ssh 
terminal and I would like to have SSHFP records validated (where 
possible). Instead of systemd-resolved I would like unbound as a system 
cache, but with booting race conditions solved from the vendor already. 
So there is just minimal steps to do on my side as an user. Ideally it 
would boot from live DVD alternative without me changing anything.

Similarly when I boot live DVD on a fresh bought laptop, where lets 
imagine DNSSEC validation is enabled by default. I want to boot into 
graphical interface without having to ever visit BIOS to set the date, I 
expect it can fix it itself. All I need to do is plug in the network cable.


Petr Menšík
Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the Unbound-users mailing list