[Cerowrt-devel] DNSSEC & NTP Bootstrapping

[Simon Kelley]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 28/03/14 07:57, Toke Høiland-Jørgensen wrote:
> Simon Kelley <simon at thekelleys.org.uk> writes:
> 
>> Add a command-line flag to dnsmasq, called --dnssec-no-timecheck
>> or something, which disables the checking of RRSIG inception and
>> expiry times. This flag is automatically reset when dnsmasq gets
>> the SIGHUP signal which causes it to clear the cache and re-read
>> (some) configuration.
> 
> One issue with this is that the openwrt init scripts currently take
> ages to restart dnsmasq because it has to rebuild the configuration
> from uci, which is done in shell.

Which makes this scheme better, since you don't have to restart
dnsmasq once the time stabilises, just SIGHUP it.

> Other than that I like the approach; it would enable *some*
> validation at least (I presume?).
All validation apart from checking the dates on the keys would continue.
> 
> Another approach to "exiting" the mode could be that if the flag
> is turned off, for each validation attempt, first try to see if the
> time *does* validate; if it does, turn off the flag, otherwise
> retry the validation while ignoring the time. That would make it
> possible to just stick the flag in the configuration and have
> things "just work", I think. Only instance I can think of where
> this is not true is if some lookup succeeds due to a longer
> validity time, which will disable the flag, and then having the
> subsequent NTP server lookup fail. Not sure what the probability of
> this happening is, though.

Neither am I, nut it would be an interesting bug to find.....


I'll add --dnssec-no-timecheck when I get a moment today.


Cheers,

Simon.

> 
> -Toke
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlM1PAcACgkQKPyGmiibgrfVRwCaAkzlyNV7rl6TCEImWbyd8ohJ
gtQAn3BJe5MneWk1c44ZiZkMNrxHCFIj
=Erot
-----END PGP SIGNATURE-----