Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping

[Simon Kelley <simon@thekelleys.org.uk>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 22/03/14 20:00, Toke Høiland-Jørgensen wrote:
> Simon Kelley <simon@thekelleys.org.uk> writes:
> 
>> That would be possible: it would require care to make it work in
>> the face of the system time being warped by NTP. Best way may  be
>> to use times() rather than time()
> 
> Good point. Since the availability of reliable time is what we're 
> waiting for, perhaps a large jump in the system clock could be
> taken to mean it has been achieved and taken as a signal to exit
> the grace period? With a timer for the case where the time is
> already accurate, of course. This would make it rather specific to
> this use case, though...
> 
> -Toke
> 


Ok, here's a suggestion.

Add a command-line flag to dnsmasq, called --dnssec-no-timecheck or
something, which disables the checking of RRSIG inception and expiry
times. This flag is automatically reset when dnsmasq gets the SIGHUP
signal which causes it to clear the cache and re-read (some)
configuration.

Now CeroWRT or equivalent can modify the script which starts or
restarts dnsmasq to provide that flag iff NTP has not found a valid
time yet, and modify the NTP script to SIGHUP dnsmasq when a valid
time is found. Any malicious entries which may have entered the cache
during the period of relaxed checking are discarded at this point.


This is trivial to do, and can go in 2.69rc2, if agreed promptly.


Cheers,

Simon.





-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlM0jCsACgkQKPyGmiibgrdEnQCfQ94UI/kbBmmX3sEUGBAMCtDS
glgAoIH2EAadNw4WmJAXBhYtknTHGk/r
=VGN4
-----END PGP SIGNATURE-----