From: "Toke Høiland-Jørgensen" <toke@toke.dk>
To: Simon Kelley <simon@thekelleys.org.uk>
Cc: cerowrt-devel@lists.bufferbloat.net
Subject: Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping
Date: Fri, 28 Mar 2014 08:57:36 +0100 [thread overview]
Message-ID: <87ha6idabz.fsf@alrua-x1.karlstad.toke.dk> (raw)
In-Reply-To: <53348C32.4040907@thekelleys.org.uk> (Simon Kelley's message of "Thu, 27 Mar 2014 20:38:10 +0000")
[-- Attachment #1: Type: text/plain, Size: 1219 bytes --]
Simon Kelley <simon@thekelleys.org.uk> writes:
> Add a command-line flag to dnsmasq, called --dnssec-no-timecheck or
> something, which disables the checking of RRSIG inception and expiry
> times. This flag is automatically reset when dnsmasq gets the SIGHUP
> signal which causes it to clear the cache and re-read (some)
> configuration.
One issue with this is that the openwrt init scripts currently take ages
to restart dnsmasq because it has to rebuild the configuration from uci,
which is done in shell. Other than that I like the approach; it would
enable *some* validation at least (I presume?).
Another approach to "exiting" the mode could be that if the flag is
turned off, for each validation attempt, first try to see if the time
*does* validate; if it does, turn off the flag, otherwise retry the
validation while ignoring the time. That would make it possible to just
stick the flag in the configuration and have things "just work", I
think. Only instance I can think of where this is not true is if some
lookup succeeds due to a longer validity time, which will disable the
flag, and then having the subsequent NTP server lookup fail. Not sure
what the probability of this happening is, though.
-Toke
[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 489 bytes --]
next prev parent reply other threads:[~2014-03-28 7:57 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-22 3:33 Joseph Swick
2014-03-22 17:42 ` Dave Taht
2014-03-22 18:43 ` Simon Kelley
2014-03-22 19:38 ` Toke Høiland-Jørgensen
2014-03-22 19:42 ` Simon Kelley
2014-03-22 20:00 ` Toke Høiland-Jørgensen
2014-03-24 21:39 ` Simon Kelley
2014-03-27 20:38 ` Simon Kelley
2014-03-28 7:57 ` Toke Høiland-Jørgensen [this message]
2014-03-28 9:08 ` Simon Kelley
2014-03-28 9:18 ` Toke Høiland-Jørgensen
2014-03-28 10:41 ` Simon Kelley
2014-03-28 10:48 ` Toke Høiland-Jørgensen
2014-03-28 19:46 ` Simon Kelley
2014-03-28 20:55 ` Simon Kelley
2014-03-29 9:20 ` Toke Høiland-Jørgensen
2014-03-29 10:55 ` [Cerowrt-devel] DNSSEC & NTP Bootstrapping -- prototype! Toke Høiland-Jørgensen
2014-03-29 21:21 ` Michael Richardson
2014-03-29 21:30 ` Dave Taht
2014-03-30 13:21 ` Toke Høiland-Jørgensen
2014-03-30 16:59 ` Dave Taht
2014-03-30 18:38 ` Toke Høiland-Jørgensen
2014-03-30 19:30 ` Toke Høiland-Jørgensen
2014-03-30 20:06 ` Dave Taht
2014-03-30 20:51 ` Toke Høiland-Jørgensen
2014-03-31 12:42 ` Robert Bradley
2014-03-31 17:26 ` Robert Bradley
2014-03-22 21:15 ` [Cerowrt-devel] DNSSEC & NTP Bootstrapping Joseph Swick
2014-03-23 10:12 ` Aaron Wood
2014-03-23 11:15 ` Toke Høiland-Jørgensen
2014-03-23 12:11 ` David Personette
2014-03-23 12:20 ` Toke Høiland-Jørgensen
2014-03-23 12:22 ` Aaron Wood
2014-03-23 22:41 ` Michael Richardson
2014-03-24 9:51 ` Aaron Wood
2014-03-24 9:59 ` Toke Høiland-Jørgensen
2014-03-24 12:29 ` Chuck Anderson
2014-03-24 13:39 ` Toke Høiland-Jørgensen
2014-03-24 14:31 ` Alijah Ballard
2014-03-24 13:54 ` Valdis.Kletnieks
2014-03-24 19:12 ` Phil Pennock
2014-03-24 20:27 ` David Personette
2014-03-24 21:30 ` Phil Pennock
2014-03-24 21:58 ` Dave Taht
2014-03-25 9:55 ` David Personette
2014-03-25 14:25 ` Michael Richardson
2014-03-24 21:03 ` Toke Høiland-Jørgensen
2014-03-24 22:09 ` Török Edwin
2014-03-24 23:33 ` Toke Høiland-Jørgensen
2014-03-25 1:16 ` Joseph Swick
2014-03-24 22:16 ` Phil Pennock
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87ha6idabz.fsf@alrua-x1.karlstad.toke.dk \
--to=toke@toke.dk \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=simon@thekelleys.org.uk \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox