Simon Kelley writes: > One possibility would be to store the current time in NVRAM. When the > router comes up, that gives a lower bound on the current time, and > would solve attacks using old keys. This is already implemented (basically it finds the most recently modified file in /etc and sets the time to that; I think there's also a script that periodically refreshes some file there), and works to keep time during a reboot. However, when first flashing an image, the time will be whatever time that image was created... > Less drastic would be to disable the key-time checks for this phase. > Simplest would be a config flag: start it up with that flag whilst NTP > does its stuff, them restart without when the clock is OK. Another > option would be to disable the checks when the query arrives from a > "magic" loopback address: maybe 127.110.116.112 (127.'n'.'t'.'p') The magic address would require the resolver and/or the ntp daemon to be patched? What about a config option that adds a grace time? Say enable dnssec after N seconds? -Toke