[Cerowrt-devel] odhcp6c went crazy flooding Comcast with DHCPv6 SOLICITs
edwin+ml-cerowrt at etorok.net
Wed Mar 26 08:20:08 EDT 2014
On 03/26/2014 12:36 PM, Aaron Wood wrote:
> I also don't consider the ntp/dnssec issue a blocker, not at the moment. It's a larger problem to solve, and one that needs solving in a wider context than just CeroWRT, and so we should keep working on a solution, but not make it a "release blocking" issue. It's a known issue, a known bit of research to continue chiseling away it, but not a major blocker.
> Especially since we can always switch to raw-ip addresses for the ntp servers, as a workaround.
> But I like some of the workarounds suggested such as starting secure, and then slowly ratching down the security as things fail. So long as we don't expose a way to cripple the unit, or otherwise coerce it into misbehavior, I think we'll find a solution along those routes.
This suggests using 'tlsdate', or the dhcp time option (if provided by another DHCP server):
tlsdate looks interesting, as you'd still have *some* protection from the TLS certificate check,
even if you patch it to fallback to an insecure DNS lookup.
More information about the Cerowrt-devel