From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail2.tohojo.dk (mail2.tohojo.dk [IPv6:2a01:4f8:200:3141::101]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id D643E21F18E for ; Sat, 29 Mar 2014 03:55:58 -0700 (PDT) X-Virus-Scanned: amavisd-new at example.com Received: by alrua-x1.borgediget.toke.dk (Postfix, from userid 1000) id ABF351CA00; Sat, 29 Mar 2014 11:55:42 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toke.dk; s=201310; t=1396090543; bh=Hxb1vpDv6Mi8MMOJKHoiczhYgWLDC9baU6NbhZ+S7NE=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=fL5OluNQP34K0SrGbfx2V+HkUKTcMsrkVPs1r6SpaL/HuR0JVPk5SlzOEAkl+092x 5LHLL07CRYHJF3/RkOk+9V3nAvTDlijcaq1X9pTuLJcl5Oz//TaA2jG19sR55aZQ9V sulEmy0XLavnsLosEuyz3W/aka13+QNiprNzkMjg= From: =?utf-8?Q?Toke_H=C3=B8iland-J=C3=B8rgensen?= To: Simon Kelley References: <532DD9DD.8040301@thekelleys.org.uk> <871txut453.fsf@alrua-x1.karlstad.toke.dk> <532DE7A8.3010504@thekelleys.org.uk> <87ppleroks.fsf@alrua-x1.karlstad.toke.dk> <53348C32.4040907@thekelleys.org.uk> <87ha6idabz.fsf@alrua-x1.karlstad.toke.dk> <53353C07.9030000@thekelleys.org.uk> <87eh1madfy.fsf@toke.dk> <533551F6.9010402@thekelleys.org.uk> <87lhvu8uqi.fsf@toke.dk> <5335E1BD.7010304@thekelleys.org.uk> <87k3bdbbt6.fsf@alrua-x1.karlstad.toke.dk> Date: Sat, 29 Mar 2014 11:55:40 +0100 In-Reply-To: <87k3bdbbt6.fsf@alrua-x1.karlstad.toke.dk> ("Toke =?utf-8?Q?H=C3=B8iland-J=C3=B8rgensen=22's?= message of "Sat, 29 Mar 2014 10:20:53 +0100") Message-ID: <87bnwpb7f7.fsf_-_@alrua-x1.karlstad.toke.dk> Content-Type: multipart/signed; boundary="==-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping -- prototype! X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 29 Mar 2014 10:55:59 -0000 --==-=-= Content-Type: multipart/mixed; boundary="=-=-=" --=-=-= Content-Type: text/plain Right, so I took a stab at prototyping something based on the --dnssec-no-timecheck option Simon just added to dnsmasq. There's an updated dnsmasq package here: http://archive.tohojo.dk/cerowrt/wndr/3.10.32-12-tohojo/packages/dnsmasq-dhcpv6_2014-03-29-b7639d58158c6e971535893b407560e136a27994_ar71xx.ipk Which, apart from the change to dnsmasq itself, has a modification to the init script that will add the parameter to dnsmasq on bootup (but not on subsequent restarts), and then spawn a script that will check the ntpd stratum status and wait for it to be set; or, if no stratum information is available just set the time with ntpd -q. Once either the time has been set, or ntpd reports a valid stratum, dnsmasq is sent SIGHUP to turn dnssec time validation back on. To get ntpd to report its stratum status, it is spawned with the -S parameter which will periodically report its status, including stratum. A small script then records that in a file which the dnsmasq script checks. Since the script falls back to running ntpd -q, this change to ntpd is not strictly necessary; but I thought it better to make it available rather than running a second ntp sync on top of the running ntpd server. To enable the ntpd modification, replace /etc/init.d/sysntpd with the attached file, put this into /usr/sbin/ntpd_record_stratum and chmod +x it: #!/bin/sh echo $stratum > /var/ntp.stratum There's a busybox package with this modification included here, but I can't promise it is built with the exact same options as the one distributed with cerowrt (though it works for me): http://archive.tohojo.dk/cerowrt/wndr/3.10.32-12-tohojo/packages/busybox_1.19.4-7_ar71xx.ipk Please test this out and let me know if it works for you. It seems to work for me; however, I have not been successful in actually getting my router to boot up without the time synced. Not sure if it's just ntpd that syncs up before the script runs (and then takes a while to update its stratum), or if some hidden mechanism does something magical to set the time (even when the *fixtime init scripts are disabled). -Toke --=-=-= Content-Type: text/x-sh Content-Disposition: attachment; filename=sysntpd #!/bin/sh /etc/rc.common # Copyright (C) 2011 OpenWrt.org START=98 USE_PROCD=1 PROG=/usr/sbin/ntpd validate_ntp_section() { uci_validate_section system timeserver "${1}" \ 'server:list(host)' 'enable_server:bool:0' } start_service() { local server enable_server peer validate_ntp_section ntp || { echo "validation failed" return 1 } [ -z "$server" ] && return procd_open_instance procd_set_param command "$PROG" -n -S /usr/sbin/ntpd_record_stratum [ "$enable_server" = "1" ] && procd_append_param command -l for peer in $server; do procd_append_param command -p $peer done procd_set_param respawn procd_close_instance } service_triggers() { procd_add_reload_trigger "system" procd_add_validation validate_ntp_section } --=-=-=-- --==-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBCAAGBQJTNqasAAoJEENeEGz1+utP0F0IAMji4IysLkxekjmbOFhmBOCV hfuLJ/36qMMpP7dQyvFkxYBNc98moGHfsqRlktl3jBkm8v1aWWw+W4fHVkN4Aday AG8DBXaSeS2F37cVOtZHptrcZZme2+TDSujgogLU2++kQ1bQyecfTPQM6vtmq5HP L7z97fgCZK+8K04lCasteFfUPeAORwBzaDpDLvKjF3H0dd1Npi0yE8aKatZ85qMO a3Sejrw/360ZwbgwTJ8SW7o6BwFwovStPnp1L6Do86kIJfGetdtiY+D89PevkeAD c9kwA03pwW0dVeg4U9o8KG5pTkBTOL44+sEU1VxlhChOVInNyps/b7MixgncqOU= =XIU2 -----END PGP SIGNATURE----- --==-=-=--