From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from bytemark.thekelleys.org.uk (bytemark.thekelleys.org.uk [IPv6:2001:41c8:51:46b:feff:ff:fe00:3310]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 86FC621F242 for ; Thu, 27 Mar 2014 13:38:09 -0700 (PDT) Received: from [31.119.86.254] (helo=[192.168.150.151]) by bytemark.thekelleys.org.uk with esmtpa (Exim 4.80) (envelope-from ) id 1WTH3t-0002KQ-Pz; Thu, 27 Mar 2014 20:38:05 +0000 Message-ID: <53348C32.4040907@thekelleys.org.uk> Date: Thu, 27 Mar 2014 20:38:10 +0000 From: Simon Kelley User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: =?ISO-8859-1?Q?Toke_H=F8iland-J=F8rgensen?= References: <532DD9DD.8040301@thekelleys.org.uk> <871txut453.fsf@alrua-x1.karlstad.toke.dk> <532DE7A8.3010504@thekelleys.org.uk> <87ppleroks.fsf@alrua-x1.karlstad.toke.dk> In-Reply-To: <87ppleroks.fsf@alrua-x1.karlstad.toke.dk> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 27 Mar 2014 20:38:09 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 22/03/14 20:00, Toke Høiland-Jørgensen wrote: > Simon Kelley writes: > >> That would be possible: it would require care to make it work in >> the face of the system time being warped by NTP. Best way may be >> to use times() rather than time() > > Good point. Since the availability of reliable time is what we're > waiting for, perhaps a large jump in the system clock could be > taken to mean it has been achieved and taken as a signal to exit > the grace period? With a timer for the case where the time is > already accurate, of course. This would make it rather specific to > this use case, though... > > -Toke > Ok, here's a suggestion. Add a command-line flag to dnsmasq, called --dnssec-no-timecheck or something, which disables the checking of RRSIG inception and expiry times. This flag is automatically reset when dnsmasq gets the SIGHUP signal which causes it to clear the cache and re-read (some) configuration. Now CeroWRT or equivalent can modify the script which starts or restarts dnsmasq to provide that flag iff NTP has not found a valid time yet, and modify the NTP script to SIGHUP dnsmasq when a valid time is found. Any malicious entries which may have entered the cache during the period of relaxed checking are discarded at this point. This is trivial to do, and can go in 2.69rc2, if agreed promptly. Cheers, Simon. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlM0jCsACgkQKPyGmiibgrdEnQCfQ94UI/kbBmmX3sEUGBAMCtDS glgAoIH2EAadNw4WmJAXBhYtknTHGk/r =VGN4 -----END PGP SIGNATURE-----