Steven Barth writes:
> Using --dnssec-no-timecheck is impractical since it reacts to SIGHUP which
> is already overloaded and might be triggered by e.g. config changes.
Quite apart from the signaling, using --dnssec-no-timecheck very quickly
turns into an ugly hack. I
On 30/09/15 03:22, Yousong Zhou wrote:
> Hi, hope this comment is not too late :)
To be blunt I've given up. There's a 'companion' patch
https://patchwork.ozlabs.org/patch/522968/ which also is mentally in the
same state.
Ultimately if ntpd can be persuaded to set a flag when it considers time
Hi, hope this comment is not too late :)
On 23 September 2015 at 17:12, Steven Barth wrote:
> Using --dnssec-no-timecheck is impractical since it reacts to SIGHUP which
> is already overloaded and might be triggered by e.g. config changes.
>
Agree. I did not check the source
On 9/22/15 1:52 PM, Bastian Bittorf wrote:
> +maxtime() {
> + local dir file
> +
> + find /etc -type d | while read dir; do
> + file="$dir/$( ls -1t "$dir" | head -n1 )"
> + [ -e "$file" -a "$file" != '/etc/dnsmasq.time' ] && date -r
> "$file" +%s
> + done |
On 23/09/15 03:42, Yousong Zhou wrote:
> On 23 September 2015 at 01:52, Bastian Bittorf wrote:
>> dnsmasq maintains dnsmasq.time across reboots and uses it as a means of
>> determining if current time is good enough to validate dnssec time
>> stamps. By including
* Kevin Darbyshire-Bryant [23.09.2015 12:21]:
[...]
> signature timestamps. If the system time is not actually 'internet
> time' (within a tolerance of which I'm unclear) and dnsmasq is using
> 'dnssec-check-unsigned' then ALL dns resolution will fail (everything
* Yousong Zhou [23.09.2015 07:58]:
> In theory, a security sensitive mechanism's dependence on a
> non-reliable timestamp file with access permission nobody:nogroup
> makes little sense to me. How about that we do --dnssec-no-timecheck
> on dnsmasq startup time and notify
On 23/09/15 07:13, Bastian Bittorf wrote:
> * Yousong Zhou [23.09.2015 07:58]:
>> In theory, a security sensitive mechanism's dependence on a
>> non-reliable timestamp file with access permission nobody:nogroup
>> makes little sense to me. How about that we do
Using --dnssec-no-timecheck is impractical since it reacts to SIGHUP which
is already overloaded and might be triggered by e.g. config changes.
Btw. an ntp hotplug infrastructure exists:
https://dev.openwrt.org/changeset/43421
Please also consider that some devices have an RTC, so disabling
dnsmasq maintains dnsmasq.time across reboots and uses it as a means of
determining if current time is good enough to validate dnssec time
stamps. By including /etc/dnsmasq.time as a time source for sysfixtime,
the mechanism was effectively defeated because time was set to the last
time that
On 23 September 2015 at 01:52, Bastian Bittorf wrote:
> dnsmasq maintains dnsmasq.time across reboots and uses it as a means of
> determining if current time is good enough to validate dnssec time
> stamps. By including /etc/dnsmasq.time as a time source for sysfixtime,
>
11 matches
Mail list logo