Development issues regarding the cerowrt test router project
 help / color / mirror / Atom feed
From: Simon Kelley <simon@thekelleys.org.uk>
To: "Toke Høiland-Jørgensen" <toke@toke.dk>
Cc: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping
Date: Thu, 27 Mar 2014 20:38:10 +0000	[thread overview]
Message-ID: <53348C32.4040907@thekelleys.org.uk> (raw)
In-Reply-To: <87ppleroks.fsf@alrua-x1.karlstad.toke.dk>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 22/03/14 20:00, Toke Høiland-Jørgensen wrote:
> Simon Kelley <simon@thekelleys.org.uk> writes:
> 
>> That would be possible: it would require care to make it work in
>> the face of the system time being warped by NTP. Best way may  be
>> to use times() rather than time()
> 
> Good point. Since the availability of reliable time is what we're 
> waiting for, perhaps a large jump in the system clock could be
> taken to mean it has been achieved and taken as a signal to exit
> the grace period? With a timer for the case where the time is
> already accurate, of course. This would make it rather specific to
> this use case, though...
> 
> -Toke
> 


Ok, here's a suggestion.

Add a command-line flag to dnsmasq, called --dnssec-no-timecheck or
something, which disables the checking of RRSIG inception and expiry
times. This flag is automatically reset when dnsmasq gets the SIGHUP
signal which causes it to clear the cache and re-read (some)
configuration.

Now CeroWRT or equivalent can modify the script which starts or
restarts dnsmasq to provide that flag iff NTP has not found a valid
time yet, and modify the NTP script to SIGHUP dnsmasq when a valid
time is found. Any malicious entries which may have entered the cache
during the period of relaxed checking are discarded at this point.


This is trivial to do, and can go in 2.69rc2, if agreed promptly.


Cheers,

Simon.





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlM0jCsACgkQKPyGmiibgrdEnQCfQ94UI/kbBmmX3sEUGBAMCtDS
glgAoIH2EAadNw4WmJAXBhYtknTHGk/r
=VGN4
-----END PGP SIGNATURE-----

  parent reply	other threads:[~2014-03-27 20:38 UTC|newest]

Thread overview: 51+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-03-22  3:33 Joseph Swick
2014-03-22 17:42 ` Dave Taht
2014-03-22 18:43   ` Simon Kelley
2014-03-22 19:38     ` Toke Høiland-Jørgensen
2014-03-22 19:42       ` Simon Kelley
2014-03-22 20:00         ` Toke Høiland-Jørgensen
2014-03-24 21:39           ` Simon Kelley
2014-03-27 20:38           ` Simon Kelley [this message]
2014-03-28  7:57             ` Toke Høiland-Jørgensen
2014-03-28  9:08               ` Simon Kelley
2014-03-28  9:18                 ` Toke Høiland-Jørgensen
2014-03-28 10:41                   ` Simon Kelley
2014-03-28 10:48                     ` Toke Høiland-Jørgensen
2014-03-28 19:46                       ` Simon Kelley
2014-03-28 20:55                       ` Simon Kelley
2014-03-29  9:20                         ` Toke Høiland-Jørgensen
2014-03-29 10:55                           ` [Cerowrt-devel] DNSSEC & NTP Bootstrapping -- prototype! Toke Høiland-Jørgensen
2014-03-29 21:21                             ` Michael Richardson
2014-03-29 21:30                               ` Dave Taht
2014-03-30 13:21                                 ` Toke Høiland-Jørgensen
2014-03-30 16:59                                   ` Dave Taht
2014-03-30 18:38                                     ` Toke Høiland-Jørgensen
2014-03-30 19:30                                   ` Toke Høiland-Jørgensen
2014-03-30 20:06                                     ` Dave Taht
2014-03-30 20:51                                       ` Toke Høiland-Jørgensen
2014-03-31 12:42                                         ` Robert Bradley
2014-03-31 17:26                                           ` Robert Bradley
2014-03-22 21:15   ` [Cerowrt-devel] DNSSEC & NTP Bootstrapping Joseph Swick
2014-03-23 10:12     ` Aaron Wood
2014-03-23 11:15       ` Toke Høiland-Jørgensen
2014-03-23 12:11         ` David Personette
2014-03-23 12:20           ` Toke Høiland-Jørgensen
2014-03-23 12:22         ` Aaron Wood
2014-03-23 22:41           ` Michael Richardson
2014-03-24  9:51             ` Aaron Wood
2014-03-24  9:59               ` Toke Høiland-Jørgensen
2014-03-24 12:29                 ` Chuck Anderson
2014-03-24 13:39                   ` Toke Høiland-Jørgensen
2014-03-24 14:31                     ` Alijah Ballard
2014-03-24 13:54                   ` Valdis.Kletnieks
2014-03-24 19:12 ` Phil Pennock
2014-03-24 20:27   ` David Personette
2014-03-24 21:30     ` Phil Pennock
2014-03-24 21:58     ` Dave Taht
2014-03-25  9:55       ` David Personette
2014-03-25 14:25       ` Michael Richardson
2014-03-24 21:03   ` Toke Høiland-Jørgensen
2014-03-24 22:09     ` Török Edwin
2014-03-24 23:33       ` Toke Høiland-Jørgensen
2014-03-25  1:16         ` Joseph Swick
2014-03-24 22:16     ` Phil Pennock

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

  List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=53348C32.4040907@thekelleys.org.uk \
    --to=simon@thekelleys.org.uk \
    --cc=cerowrt-devel@lists.bufferbloat.net \
    --cc=toke@toke.dk \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox