On 2013-07-02 at 14:50 -0400, Doug Calvert wrote: > On Fri, Jun 28, 2013 at 1:50 AM, Phil Pennock > <[email protected]> wrote: > > Per previous thread, the best approach to resolving the boot-time "catch > > 22" for getting DNS to get time to get DNS working was to use a query > > with checking disabled, and this could be done well enough in shell in > > the existing ntpdate system startup script. > > How about using the ctime of /var/lib/unbound/root.key and or parse
Oh, I like that, thanks. I'd been wondering what might be a way of
periodically updating a file to get a recent timestamp, but unbound is
inherently doing that for me already, so I don't even add more I/O.
The date(1) command on this thing can't parse the timestamp output by
ls(1) and the ls(1) doesn't support using other formats for emission, so
I ended up resorting to Python, because that's what I have installed.
Available file-system paths are constrained by "what persists past a
reboot", so the var|etc separation isn't what I'd like. But at least
I'd already made sure the root autokey would persist, which is
definitely not the default. Between that and the Python, this addition
makes the result far less portable than even the added dependency upon
dig. But hey, it works for me, in my testing just now.
----------------------------8< cut here >8------------------------------
PRESEED_TIMESTAMP_FN="/etc/unbound/runtime/root.autokey"
# ...
# Also, per a suggestion from Doug Calvert, we can use the timestamp of
# modification of the unbound root.key file itself as an approximate time.
# Unbound updates the file on every refresh, so it's not too far off.
preseed_approximate_time() {
# Unfortunately, date(1) on OpenWRT can't parse the timestamp
# output from ls.
python -c '
import os, time, sys
fn=sys.argv[1]
min_time=os.stat(fn).st_ctime
if time.time() < min_time:
want=time.strftime("%Y%m%d%H%M.%S", time.gmtime(min_time))
os.system("date -u -s %s" % want)' "$PRESEED_TIMESTAMP_FN" > /dev/null
}
# ...
----------------------------8< cut here >8------------------------------
Then in start(), first call preseed_approximate_time, then continue as
before.
Thanks, that's a useful improvement and *should* remove the
vulnerability window entirely, as long as the router is routinely
powered on, only leaving a trust-on-first-use exposure after being off
for a prolonged period.
-Phil
pgprPKuS9nEyy.pgp
Description: PGP signature
_______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
