From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from mailhost.cotse.com (mail.cotse.net [66.203.85.58]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by huchra.bufferbloat.net (Postfix) with ESMTPS id 0020721F1D2 for ; Sat, 22 Mar 2014 14:15:18 -0700 (PDT) Received: from out.packetderm.com (out.packetderm.com [66.203.85.62]) by mailhost.cotse.com (8.14.5/8.14.5) with ESMTP id s2MLFHmh095662 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Sat, 22 Mar 2014 17:15:17 -0400 (EDT) (envelope-from cerowrt@decoy.cotse.net) Received: from localhost (localhost[127.0.0.1]) (authenticated bits=0) by smtp (5.7.4/5.7.4) with ESMTP id s2MLFHSo048798 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES128-SHA bits=128 verify=NO) for ; Sat, 22 Mar 2014 17:15:17 -0400 (EDT) (envelope-from cerowrt@decoy.cotse.net) Message-ID: Date: Sat, 22 Mar 2014 17:15:16 -0400 From: Joseph Swick MIME-Version: 1.0 To: "cerowrt-devel@lists.bufferbloat.net" References: In-Reply-To: Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit Subject: Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping X-BeenThere: cerowrt-devel@lists.bufferbloat.net X-Mailman-Version: 2.1.13 Precedence: list List-Id: Development issues regarding the cerowrt test router project List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 22 Mar 2014 21:15:19 -0000 On 03/22/2014 01:42 PM, Dave Taht wrote: > On Sat, Mar 22, 2014 at 3:33 AM, Joseph Swick wrote: >> I recently got around to updating my router a week or two ago from 3.7.? >> to 3.10.28-16 because Comcast finally switched on IPv6 for my neck of >> the woods (realized this when I finally noticed the performance impact >> of the issues with Comcast IPv6 and the 3.7 release) . > > I reallly, really, really want to get the comcast users off of 3.7.x. That bug > is rather severe. Yeah, I had kept putting off upgrading to one of the fixed releases due to the assumption that my area of Southern NH would be among the last to get IPv6 switched on. Wasn't until I started looking into why my Internet performance had gotten so bad I remembered the bug (and why I kept reminding my self to upgrade) > There has not (as yet) been any work put into resolving the thorny > ntp/dnssec interrelationship problem. (famous bug #113 in the cerowrt > database). (Not having > been running any releases for long enough for it to become a problem made it > slip my mind!) I'm more than happy to try to help out (which is why I joined the devel list), but I'm more of the Sysadmin type than Developer (which is why I've been lurking). > The ntp servers queried presently largely are not dnssec signed, so > the ntp queries > should succeed (I think?) in the general case. However, for > robustness, I'd argue for enhancing the ntp startup script to > temporarily disable dnssec until it gets a valid time, and then > enabling it. I believe support for running the script was added to > busybox ntp, the problem remaining is how to tell dnsmasq about it > correctly. > Ok, part of my issue was probably also that the clock was so far off, it didn't want to skew to the correct time. -Joseph