[Cerowrt-devel] DNSSEC & NTP Bootstrapping
Simon Kelley
simon at thekelleys.org.uk
Fri Mar 28 06:41:58 EDT 2014
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 28/03/14 09:18, Toke Høiland-Jørgensen wrote:
> Simon Kelley <simon at thekelleys.org.uk> writes:
>
>> Which makes this scheme better, since you don't have to restart
>> dnsmasq once the time stabilises, just SIGHUP it.
>
> Yeah, but my concern was the opposite: say the flag is enabled in
> the config, it will run at boot in this mode, some script will kick
> in and set/verify the time, then SIGHUP dnsmasq. Everything is fine
> so far.
>
> Now if dnsmasq is restarted later for some reason (manually,
> config change, whatever), the flag will be enabled, and there will
> be no script to SIGHUP dnsmasq.
Understood, my suggestion is that the dnsmasq startup script somehow
interrogate NTP as to if it's running, and if it has a time lock. Only
setting the flag if it isn't or doesn't. Of course that depends on NTP
being able to answer the question.
Cheers,
Simon.
This is why I suggested having the flag do nothing if
> it indeed *is* possible to verify the timestamps. But I can see how
> from a debugging perspective that would be an annoying feature.
>
> I suppose special-casing the init script to add the flag only on
> boot might be a solution. Will experiment with it once you've added
> the flag :)
>
> -Toke
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlM1UfYACgkQKPyGmiibgrcJDwCfTZ5Z62g2ba53HHosgSy4paHh
rqYAoIvjh3U7WfjHSst6mI/vWQvHggPI
=Jtnj
-----END PGP SIGNATURE-----
More information about the Cerowrt-devel
mailing list