From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from bytemark.thekelleys.org.uk (bytemark.thekelleys.org.uk [IPv6:2001:41c8:51:46b:feff:ff:fe00:3310]) (using TLSv1 with cipher DHE-RSA-AES128-SHA (128/128 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id DA45221F225 for ; Fri, 28 Mar 2014 02:08:28 -0700 (PDT) Received: from [31.118.75.205] (helo=[192.168.150.151]) by bytemark.thekelleys.org.uk with esmtpa (Exim 4.80) (envelope-from ) id 1WTSm1-0003sD-3L; Fri, 28 Mar 2014 09:08:25 +0000 Message-ID: <53353C07.9030000@thekelleys.org.uk> Date: Fri, 28 Mar 2014 09:08:23 +0000 From: Simon Kelley User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:24.0) Gecko/20100101 Thunderbird/24.2.0 MIME-Version: 1.0 To: =?ISO-8859-1?Q?Toke_H=F8iland-J=F8rgensen?= References: <532DD9DD.8040301@thekelleys.org.uk> <871txut453.fsf@alrua-x1.karlstad.toke.dk> <532DE7A8.3010504@thekelleys.org.uk> <87ppleroks.fsf@alrua-x1.karlstad.toke.dk> <53348C32.4040907@thekelleys.org.uk> <87ha6idabz.fsf@alrua-x1.karlstad.toke.dk> In-Reply-To: <87ha6idabz.fsf@alrua-x1.karlstad.toke.dk> X-Enigmail-Version: 1.6 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 8bit Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Mar 2014 09:08:29 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 28/03/14 07:57, Toke Høiland-Jørgensen wrote: > Simon Kelley writes: > >> Add a command-line flag to dnsmasq, called --dnssec-no-timecheck >> or something, which disables the checking of RRSIG inception and >> expiry times. This flag is automatically reset when dnsmasq gets >> the SIGHUP signal which causes it to clear the cache and re-read >> (some) configuration. > > One issue with this is that the openwrt init scripts currently take > ages to restart dnsmasq because it has to rebuild the configuration > from uci, which is done in shell. Which makes this scheme better, since you don't have to restart dnsmasq once the time stabilises, just SIGHUP it. > Other than that I like the approach; it would enable *some* > validation at least (I presume?). All validation apart from checking the dates on the keys would continue. > > Another approach to "exiting" the mode could be that if the flag > is turned off, for each validation attempt, first try to see if the > time *does* validate; if it does, turn off the flag, otherwise > retry the validation while ignoring the time. That would make it > possible to just stick the flag in the configuration and have > things "just work", I think. Only instance I can think of where > this is not true is if some lookup succeeds due to a longer > validity time, which will disable the flag, and then having the > subsequent NTP server lookup fail. Not sure what the probability of > this happening is, though. Neither am I, nut it would be an interesting bug to find..... I'll add --dnssec-no-timecheck when I get a moment today. Cheers, Simon. > > -Toke > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlM1PAcACgkQKPyGmiibgrfVRwCaAkzlyNV7rl6TCEImWbyd8ohJ gtQAn3BJe5MneWk1c44ZiZkMNrxHCFIj =Erot -----END PGP SIGNATURE-----