I also don't consider the ntp/dnssec issue a blocker, not at the moment. It's a larger problem to solve, and one that needs solving in a wider context than just CeroWRT, and so we should keep working on a solution, but not make it a "release blocking" issue. It's a known issue, a known bit of research to continue chiseling away it, but not a major blocker.

Especially since we can always switch to raw-ip addresses for the ntp servers, as a workaround.

But I like some of the workarounds suggested such as starting secure, and then slowly ratching down the security as things fail. So long as we don't expose a way to cripple the unit, or otherwise coerce it into misbehavior, I think we'll find a solution along those routes.

-Aaron

On Wed, Mar 26, 2014 at 5:42 AM, <Valdis.Kletnieks@vt.edu> wrote:

On Tue, 25 Mar 2014 20:41:53 -0700, Dave Taht said:

> I'm still at a loss as to the most correct way to bring up dnssec.

Don't sweat it too much - nobody else in the security business knows
how to do it either. :) DNSSEC has even less uptake than IPv6....

_______________________________________________
Cerowrt-devel mailing list
Cerowrt-devel@lists.bufferbloat.net
https://lists.bufferbloat.net/listinfo/cerowrt-devel