On Mon, Feb 25, 2019 at 09:38:13AM +0100, Peter J. Philipp wrote:
> Hi,
>
> I'm currently working with TSIG (RFC 2845) on my project. The idea came to me
> to use it as a constraint to openntpd. This would solve a paradox on my NUC
> which does DNS in my apartment. The NUC's BIND uses TSIG to question a
> forwarder for DNS answers. TSIG relies on time to be correct within a small
> window (called a fudge). So you see, the HTTPS constraints on the NUC would
> never work if the time was off (thankfully it has a RTC), because it would
> not be able to look up the name of the server. It's an endless spiral if
> not intervened (DNS does not work because of bad time, time does not get
> updated because of DNS).
>
> I already shared some TSIG work, three years ago, here:
>
> https://marc.info/?l=openbsd-tech&m=145656997013119&w=2
>
> And I can probably enhance that to cause a timecheck on the DNS server with
> TSIG.
>
> This would also be able for me to move the BIND closer to the router
> (currently
> an octeon without RTC) and possibly have a second nameserver in the local LAN.
>
> A TSIG is authenticated and I believe to get past BADKEY and BADSIG messages
> to
> get BADTIME replies one has to configure a key. Question is, does OpenBSD
> have
> a need for something like that? I can branch off my work that I'm currently
> doing and spend some time on ntpd.
>
> Regards,
> -peter
>
I've done some work in a related area, bootstrapping ntpd while using
a DNSSEC enabled resolver. If the time is off, that does not work atm.
That work was never finished because of reasons.
But I think the TSIG use case is pretty limited. Who uses it other
than for zone transfers?
-Otto
