[Cerowrt-devel] odhcp6c went crazy flooding Comcast with DHCPv6 SOLICITs

[Török Edwin]

On 03/26/2014 12:36 PM, Aaron Wood wrote:
> I also don't consider the ntp/dnssec issue a blocker, not at the moment.  It's a larger problem to solve, and one that needs solving in a wider context than just CeroWRT, and so we should keep working on a solution, but not make it a "release blocking" issue.  It's a known issue, a known bit of research to continue chiseling away it, but not a major blocker.
> 
> Especially since we can always switch to raw-ip addresses for the ntp servers, as a workaround.
> 
> But I like some of the workarounds suggested such as starting secure, and then slowly ratching down the security as things fail.  So long as we don't expose a way to cripple the unit, or otherwise coerce it into misbehavior, I think we'll find a solution along those routes.

This suggests using 'tlsdate', or the dhcp time option (if provided by another DHCP server):
http://tools.ietf.org/id/draft-mglt-homenet-dnssec-validator-dhc-options-01.txt

tlsdate looks interesting, as you'd still have *some* protection from the TLS certificate check,
even if you patch it to fallback to an insecure DNS lookup.

Best regards,
--Edwin