Kevin Darbyshire-Bryant <ke...@darbyshire-bryant.me.uk> writes: > This patch stops SIGHUP from enabling dnssec timechecks if disabled by > use of --dnssec-no-timecheck option. --dnssec-timestamp continues to > work correctly.
I'd argue that patching dnsmasq in this way is the wrong way to fix this. If you're worried about that DOS vector, don't use --dnssec-no-timecheck but rather use --dnssec-timestamp. Also, in a scenario where --dnssec-no-timecheck is used, the expectation is that the time will be fixed in fairly short order (i.e. as soon as NTP syncs up), so the potential for this being a DOS vector is rather small I would say... And if you can SIGHUP the process you can also SIGKILL it. -Toke _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel