From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mail2.tohojo.dk (mail2.tohojo.dk [IPv6:2a01:4f8:200:3141::101]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id AB28E21F242 for ; Fri, 28 Mar 2014 00:57:46 -0700 (PDT) X-Virus-Scanned: amavisd-new at example.com Received: by alrua-x1.borgediget.toke.dk (Postfix, from userid 1000) id 42F5E1C89F; Fri, 28 Mar 2014 08:57:38 +0100 (CET) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=toke.dk; s=201310; t=1395993459; bh=mFdv4TlNEGq0saC3eRBHYjgiIUiFim0oh6PvoO4+k5c=; h=From:To:Cc:Subject:References:Date:In-Reply-To; b=f9Wh3vSbPQgKA9bVGIt8pIYZpT9EF6vWKYaxKGkaFg3bNo185OlsFA1toLplozpSE WKtI9dmoMtf7ncfrX2wlbclfvWUMLi/4w72GcXxzLh1CxdlhFCLJhCpD1EBIq7GBsL UuVEYvs3BHHh2gfXBxG+mIMAZdDAmW5hFOVCFfbI= From: =?utf-8?Q?Toke_H=C3=B8iland-J=C3=B8rgensen?= To: Simon Kelley References: <532DD9DD.8040301@thekelleys.org.uk> <871txut453.fsf@alrua-x1.karlstad.toke.dk> <532DE7A8.3010504@thekelleys.org.uk> <87ppleroks.fsf@alrua-x1.karlstad.toke.dk> <53348C32.4040907@thekelleys.org.uk> Date: Fri, 28 Mar 2014 08:57:36 +0100 In-Reply-To: <53348C32.4040907@thekelleys.org.uk> (Simon Kelley's message of "Thu, 27 Mar 2014 20:38:10 +0000") Message-ID: <87ha6idabz.fsf@alrua-x1.karlstad.toke.dk> Content-Type: multipart/signed; boundary="=-=-="; micalg=pgp-sha256; protocol="application/pgp-signature" Cc: cerowrt-devel@lists.bufferbloat.net Subject: Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 28 Mar 2014 07:57:47 -0000 --=-=-= Content-Type: text/plain Simon Kelley writes: > Add a command-line flag to dnsmasq, called --dnssec-no-timecheck or > something, which disables the checking of RRSIG inception and expiry > times. This flag is automatically reset when dnsmasq gets the SIGHUP > signal which causes it to clear the cache and re-read (some) > configuration. One issue with this is that the openwrt init scripts currently take ages to restart dnsmasq because it has to rebuild the configuration from uci, which is done in shell. Other than that I like the approach; it would enable *some* validation at least (I presume?). Another approach to "exiting" the mode could be that if the flag is turned off, for each validation attempt, first try to see if the time *does* validate; if it does, turn off the flag, otherwise retry the validation while ignoring the time. That would make it possible to just stick the flag in the configuration and have things "just work", I think. Only instance I can think of where this is not true is if some lookup succeeds due to a longer validity time, which will disable the flag, and then having the subsequent NTP server lookup fail. Not sure what the probability of this happening is, though. -Toke --=-=-= Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.22 (GNU/Linux) iQEcBAEBCAAGBQJTNStwAAoJEENeEGz1+utP4OoH/AtAdajkMApIEk0/IXSdtHLN SH5rK4AYrb4HF1uXCRpbzHi63c46Q3soi/4DgZSZs4vNwqSBtGzf87yWR5ngJiLa voTfEIrbILi2SHaJ3VyjnAEZd3jXZ7xriWRlgCb8PHGydxsSt1w2D85EEBumc0Ra ZPsRQrZPYumLEdgpi63bqmk9an8Qbclqua8DnLMK0iEewF/BlMeCTBs5kwbaq8yA VGMMRj881zgkplsBKx7n5aKmDrxPqtD9Bnoh5e0+0HgXUO0i7Dd51TqakJe20l8F cl1ikYt7xMChrcuKaYvGAZpkReo/RG9L65wVIFi7DzjOAKCdu1pZSepbr7YoRPo= =yceE -----END PGP SIGNATURE----- --=-=-=--