[Cerowrt-devel] DNSSEC & NTP Bootstrapping -- prototype!

Dave Taht dave.taht at gmail.com
Sun Mar 30 16:06:29 EDT 2014

On Sun, Mar 30, 2014 at 12:30 PM, Toke Høiland-Jørgensen <toke at toke.dk> wrote:
> Toke Høiland-Jørgensen <toke at toke.dk> writes:
>> This would involve teaching the uclibc resolver about the CD bit and
>> expose it in the resolver API I think. Can look into how difficult
>> this actually is to do; with the caveat that I'm not exactly an expert
>> on such code :P
> OK, went looking at the code. As far as I can tell, it would probably be
> possible to teach the part of uclibc that does DNS lookups about the CD
> bit. However, I'm not sure there's a way to pass the request for no

Only thing I can think of that makes some sense at the moment is
doing a stubby resolver in ntp itself.

> validation through the resolver to the right place; certainly not

There isn't. Arguably there should have been a flag added to getaddrinfo
ages ago...

> without entirely reworking the way ntpd does hostname lookups (and
> possibly other parts of the C library as well). Either way it's not

Not today then. :)

> something I feel up to with the time I have available for hacking on
> cerowrt. So I am abandoning this avenue of enquiry.

So far fixing this dependency has eluded dnssec implementers for 12 years.

> I'll be happy to work on improving the dnsmasq script with the
> --dnssec-no-timecheck parameter approach; but if it is going to be
> rejected in favour of a different approach I'd rather not waste any more
> time on it... :)

Please push the script into the cerowrt repo for further testing.

> -Toke

Dave Täht

Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html

More information about the Cerowrt-devel mailing list