[Cerowrt-devel] DNSSEC & NTP Bootstrapping
simon at thekelleys.org.uk
Fri Mar 28 05:08:23 EDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
On 28/03/14 07:57, Toke Høiland-Jørgensen wrote:
> Simon Kelley <simon at thekelleys.org.uk> writes:
>> Add a command-line flag to dnsmasq, called --dnssec-no-timecheck
>> or something, which disables the checking of RRSIG inception and
>> expiry times. This flag is automatically reset when dnsmasq gets
>> the SIGHUP signal which causes it to clear the cache and re-read
>> (some) configuration.
> One issue with this is that the openwrt init scripts currently take
> ages to restart dnsmasq because it has to rebuild the configuration
> from uci, which is done in shell.
Which makes this scheme better, since you don't have to restart
dnsmasq once the time stabilises, just SIGHUP it.
> Other than that I like the approach; it would enable *some*
> validation at least (I presume?).
All validation apart from checking the dates on the keys would continue.
> Another approach to "exiting" the mode could be that if the flag
> is turned off, for each validation attempt, first try to see if the
> time *does* validate; if it does, turn off the flag, otherwise
> retry the validation while ignoring the time. That would make it
> possible to just stick the flag in the configuration and have
> things "just work", I think. Only instance I can think of where
> this is not true is if some lookup succeeds due to a longer
> validity time, which will disable the flag, and then having the
> subsequent NTP server lookup fail. Not sure what the probability of
> this happening is, though.
Neither am I, nut it would be an interesting bug to find.....
I'll add --dnssec-no-timecheck when I get a moment today.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
-----END PGP SIGNATURE-----
More information about the Cerowrt-devel