[Cerowrt-devel] DNSSEC & NTP Bootstrapping

Simon Kelley simon at thekelleys.org.uk
Fri Mar 28 06:41:58 EDT 2014


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 28/03/14 09:18, Toke Høiland-Jørgensen wrote:
> Simon Kelley <simon at thekelleys.org.uk> writes:
> 
>> Which makes this scheme better, since you don't have to restart 
>> dnsmasq once the time stabilises, just SIGHUP it.
> 
> Yeah, but my concern was the opposite: say the flag is enabled in
> the config, it will run at boot in this mode, some script will kick
> in and set/verify the time, then SIGHUP dnsmasq. Everything is fine
> so far.
> 
> Now if dnsmasq is restarted later for some reason (manually,
> config change, whatever), the flag will be enabled, and there will
> be no script to SIGHUP dnsmasq.


Understood, my suggestion is that the dnsmasq startup script somehow
interrogate NTP as to if it's running, and if it has a time lock. Only
setting the flag if it isn't or doesn't. Of course that depends on NTP
being able to answer the question.


Cheers,

Simon.

 This is why I suggested having the flag do nothing if
> it indeed *is* possible to verify the timestamps. But I can see how
> from a debugging perspective that would be an annoying feature.
> 
> I suppose special-casing the init script to add the flag only on
> boot might be a solution. Will experiment with it once you've added
> the flag :)
> 
> -Toke
> 

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlM1UfYACgkQKPyGmiibgrcJDwCfTZ5Z62g2ba53HHosgSy4paHh
rqYAoIvjh3U7WfjHSst6mI/vWQvHggPI
=Jtnj
-----END PGP SIGNATURE-----



More information about the Cerowrt-devel mailing list