[Cerowrt-devel] DNSSEC & NTP Bootstrapping

Toke Høiland-Jørgensen toke at toke.dk
Fri Mar 28 03:57:36 EDT 2014


Simon Kelley <simon at thekelleys.org.uk> writes:

> Add a command-line flag to dnsmasq, called --dnssec-no-timecheck or
> something, which disables the checking of RRSIG inception and expiry
> times. This flag is automatically reset when dnsmasq gets the SIGHUP
> signal which causes it to clear the cache and re-read (some)
> configuration.

One issue with this is that the openwrt init scripts currently take ages
to restart dnsmasq because it has to rebuild the configuration from uci,
which is done in shell. Other than that I like the approach; it would
enable *some* validation at least (I presume?).

Another approach to "exiting" the mode could be that if the flag is
turned off, for each validation attempt, first try to see if the time
*does* validate; if it does, turn off the flag, otherwise retry the
validation while ignoring the time. That would make it possible to just
stick the flag in the configuration and have things "just work", I
think. Only instance I can think of where this is not true is if some
lookup succeeds due to a longer validity time, which will disable the
flag, and then having the subsequent NTP server lookup fail. Not sure
what the probability of this happening is, though.

-Toke
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 489 bytes
Desc: not available
URL: <https://lists.bufferbloat.net/pipermail/cerowrt-devel/attachments/20140328/682d9a11/attachment.sig>


More information about the Cerowrt-devel mailing list