OpenBSD has its own, relatively simple NTP daemon called OpenNTPd, which has interesting security properties. This talk will describe some security features and then focus on the task to get the time right on boot, even if the system is doing DNSSEC enabled name resolution and in the absence of a working battery backed real time clock. Some systems do not have a battery backed real time clock at all (think Raspberry Pi). Having a dead CMOS battery is also common especially when running old gear. These systems typically come up with a clock that is completely wrong, so we have to determine trusted time with no idea of the actual time. This bootstrapping problem is interesting and hard, because validation methods require a proper idea of the current time to validate trust chains. How are we going the get trusted time information if we need proper time to validate the trust chains?
Otto Moerbeek has been a OpenBSD developer for 20 years. His contributions to OpenBSD include major work on utilities like patch(1) and diff(1), new versions of dc(1) and bc(1), privilege separated tcpdump(8), work on ntpd(8) and kernel time code, unwind(8), large partition and ffs2 support, a complete rewrite of malloc(3) and work on the OpenBSD/loongson port.