To me this leaves the biggest problem remaining is key rotation. Me being me, and remembering just how hard it was to get dnssec working on systems lacking reliable time, I worry about that part. What we settled on for dnsmasq-dnssec was to write the current time to flash every day (or few hours), boot up without dnssec enabled long enough to get an ntp server... and rely on key rollover taking hours or days to *usually* get a correct result. RTCs with batteries are usually not included.
that's still fragile (imagine a power failure lasting days, or a box being down for several days for repair. It happens). In the case of routing... if you don't have the correct time... and you can't get a route so you can get the correct time from ntp... then what? Do we make GPSes MTI also? Setting that aside for the moment, having a standardized file format for babel keys would be a boon and boost interoperability between bird/babel and other possible implementations. You would merely declare a key name in the main conf for bird or babel, and reference it in a separate file with a format like this: KEY START_DATE END_DATE TYPE VALUE name\wrfc3339\wrfc3339\wsha256|blake2s\wvalue https://tools.ietf.org/html/rfc3339 administrators would push out this one standard format file to routers, strongly suggesting that UTC times be used universally and that key rollover should be staged over hours or days lest connectivity be lost. Other sanity checks like ensuring there is some form of persistent and correct time on routers using authentication are also needed. alternatives might include certs and other stuff that bears drinking about. -- Dave Täht CTO, TekLibre, LLC http://www.teklibre.com Tel: 1-831-205-9740 _______________________________________________ Babel-users mailing list Babel-users@alioth-lists.debian.net https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/babel-users
