From: Simon Kelley <simon@thekelleys.org.uk>
To: "Toke Høiland-Jørgensen" <toke@toke.dk>
Cc: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping
Date: Fri, 28 Mar 2014 09:08:23 +0000 [thread overview]
Message-ID: <53353C07.9030000@thekelleys.org.uk> (raw)
In-Reply-To: <87ha6idabz.fsf@alrua-x1.karlstad.toke.dk>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 28/03/14 07:57, Toke Høiland-Jørgensen wrote:
> Simon Kelley <simon@thekelleys.org.uk> writes:
>
>> Add a command-line flag to dnsmasq, called --dnssec-no-timecheck
>> or something, which disables the checking of RRSIG inception and
>> expiry times. This flag is automatically reset when dnsmasq gets
>> the SIGHUP signal which causes it to clear the cache and re-read
>> (some) configuration.
>
> One issue with this is that the openwrt init scripts currently take
> ages to restart dnsmasq because it has to rebuild the configuration
> from uci, which is done in shell.
Which makes this scheme better, since you don't have to restart
dnsmasq once the time stabilises, just SIGHUP it.
> Other than that I like the approach; it would enable *some*
> validation at least (I presume?).
All validation apart from checking the dates on the keys would continue.
>
> Another approach to "exiting" the mode could be that if the flag
> is turned off, for each validation attempt, first try to see if the
> time *does* validate; if it does, turn off the flag, otherwise
> retry the validation while ignoring the time. That would make it
> possible to just stick the flag in the configuration and have
> things "just work", I think. Only instance I can think of where
> this is not true is if some lookup succeeds due to a longer
> validity time, which will disable the flag, and then having the
> subsequent NTP server lookup fail. Not sure what the probability of
> this happening is, though.
Neither am I, nut it would be an interesting bug to find.....
I'll add --dnssec-no-timecheck when I get a moment today.
Cheers,
Simon.
>
> -Toke
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlM1PAcACgkQKPyGmiibgrfVRwCaAkzlyNV7rl6TCEImWbyd8ohJ
gtQAn3BJe5MneWk1c44ZiZkMNrxHCFIj
=Erot
-----END PGP SIGNATURE-----
next prev parent reply other threads:[~2014-03-28 9:08 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-22 3:33 Joseph Swick
2014-03-22 17:42 ` Dave Taht
2014-03-22 18:43 ` Simon Kelley
2014-03-22 19:38 ` Toke Høiland-Jørgensen
2014-03-22 19:42 ` Simon Kelley
2014-03-22 20:00 ` Toke Høiland-Jørgensen
2014-03-24 21:39 ` Simon Kelley
2014-03-27 20:38 ` Simon Kelley
2014-03-28 7:57 ` Toke Høiland-Jørgensen
2014-03-28 9:08 ` Simon Kelley [this message]
2014-03-28 9:18 ` Toke Høiland-Jørgensen
2014-03-28 10:41 ` Simon Kelley
2014-03-28 10:48 ` Toke Høiland-Jørgensen
2014-03-28 19:46 ` Simon Kelley
2014-03-28 20:55 ` Simon Kelley
2014-03-29 9:20 ` Toke Høiland-Jørgensen
2014-03-29 10:55 ` [Cerowrt-devel] DNSSEC & NTP Bootstrapping -- prototype! Toke Høiland-Jørgensen
2014-03-29 21:21 ` Michael Richardson
2014-03-29 21:30 ` Dave Taht
2014-03-30 13:21 ` Toke Høiland-Jørgensen
2014-03-30 16:59 ` Dave Taht
2014-03-30 18:38 ` Toke Høiland-Jørgensen
2014-03-30 19:30 ` Toke Høiland-Jørgensen
2014-03-30 20:06 ` Dave Taht
2014-03-30 20:51 ` Toke Høiland-Jørgensen
2014-03-31 12:42 ` Robert Bradley
2014-03-31 17:26 ` Robert Bradley
2014-03-22 21:15 ` [Cerowrt-devel] DNSSEC & NTP Bootstrapping Joseph Swick
2014-03-23 10:12 ` Aaron Wood
2014-03-23 11:15 ` Toke Høiland-Jørgensen
2014-03-23 12:11 ` David Personette
2014-03-23 12:20 ` Toke Høiland-Jørgensen
2014-03-23 12:22 ` Aaron Wood
2014-03-23 22:41 ` Michael Richardson
2014-03-24 9:51 ` Aaron Wood
2014-03-24 9:59 ` Toke Høiland-Jørgensen
2014-03-24 12:29 ` Chuck Anderson
2014-03-24 13:39 ` Toke Høiland-Jørgensen
2014-03-24 14:31 ` Alijah Ballard
2014-03-24 13:54 ` Valdis.Kletnieks
2014-03-24 19:12 ` Phil Pennock
2014-03-24 20:27 ` David Personette
2014-03-24 21:30 ` Phil Pennock
2014-03-24 21:58 ` Dave Taht
2014-03-25 9:55 ` David Personette
2014-03-25 14:25 ` Michael Richardson
2014-03-24 21:03 ` Toke Høiland-Jørgensen
2014-03-24 22:09 ` Török Edwin
2014-03-24 23:33 ` Toke Høiland-Jørgensen
2014-03-25 1:16 ` Joseph Swick
2014-03-24 22:16 ` Phil Pennock
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=53353C07.9030000@thekelleys.org.uk \
--to=simon@thekelleys.org.uk \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=toke@toke.dk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox