Re: [OpenWrt-Devel] [PATCH v2] base-files: init/sysfixtime - exclude dnsmasq.time

Steven Barth writes: > Using --dnssec-no-timecheck is impractical since it reacts to SIGHUP which > is already overloaded and might be triggered by e.g. config changes. Quite apart from the signaling, using --dnssec-no-timecheck very quickly turns into an ugly hack. I

Re: [OpenWrt-Devel] [PATCH v2] base-files: init/sysfixtime - exclude dnsmasq.time

On 30/09/15 03:22, Yousong Zhou wrote: > Hi, hope this comment is not too late :) To be blunt I've given up. There's a 'companion' patch https://patchwork.ozlabs.org/patch/522968/ which also is mentally in the same state. Ultimately if ntpd can be persuaded to set a flag when it considers time

Re: [OpenWrt-Devel] [PATCH v2] base-files: init/sysfixtime - exclude dnsmasq.time

Hi, hope this comment is not too late :) On 23 September 2015 at 17:12, Steven Barth wrote: > Using --dnssec-no-timecheck is impractical since it reacts to SIGHUP which > is already overloaded and might be triggered by e.g. config changes. > Agree. I did not check the source

Re: [OpenWrt-Devel] [PATCH v2] base-files: init/sysfixtime - exclude dnsmasq.time

On 9/22/15 1:52 PM, Bastian Bittorf wrote: > +maxtime() { > + local dir file > + > + find /etc -type d | while read dir; do > + file="$dir/$( ls -1t "$dir" | head -n1 )" > + [ -e "$file" -a "$file" != '/etc/dnsmasq.time' ] && date -r > "$file" +%s > + done |

Re: [OpenWrt-Devel] [PATCH v2] base-files: init/sysfixtime - exclude dnsmasq.time

On 23/09/15 03:42, Yousong Zhou wrote: > On 23 September 2015 at 01:52, Bastian Bittorf wrote: >> dnsmasq maintains dnsmasq.time across reboots and uses it as a means of >> determining if current time is good enough to validate dnssec time >> stamps. By including

Re: [OpenWrt-Devel] [PATCH v2] base-files: init/sysfixtime - exclude dnsmasq.time

* Kevin Darbyshire-Bryant [23.09.2015 12:21]: [...] > signature timestamps. If the system time is not actually 'internet > time' (within a tolerance of which I'm unclear) and dnsmasq is using > 'dnssec-check-unsigned' then ALL dns resolution will fail (everything

Re: [OpenWrt-Devel] [PATCH v2] base-files: init/sysfixtime - exclude dnsmasq.time

* Yousong Zhou [23.09.2015 07:58]: > In theory, a security sensitive mechanism's dependence on a > non-reliable timestamp file with access permission nobody:nogroup > makes little sense to me. How about that we do --dnssec-no-timecheck > on dnsmasq startup time and notify

Re: [OpenWrt-Devel] [PATCH v2] base-files: init/sysfixtime - exclude dnsmasq.time

On 23/09/15 07:13, Bastian Bittorf wrote: > * Yousong Zhou [23.09.2015 07:58]: >> In theory, a security sensitive mechanism's dependence on a >> non-reliable timestamp file with access permission nobody:nogroup >> makes little sense to me. How about that we do

Re: [OpenWrt-Devel] [PATCH v2] base-files: init/sysfixtime - exclude dnsmasq.time

Using --dnssec-no-timecheck is impractical since it reacts to SIGHUP which is already overloaded and might be triggered by e.g. config changes. Btw. an ntp hotplug infrastructure exists: https://dev.openwrt.org/changeset/43421 Please also consider that some devices have an RTC, so disabling

[OpenWrt-Devel] [PATCH v2] base-files: init/sysfixtime - exclude dnsmasq.time

dnsmasq maintains dnsmasq.time across reboots and uses it as a means of determining if current time is good enough to validate dnssec time stamps. By including /etc/dnsmasq.time as a time source for sysfixtime, the mechanism was effectively defeated because time was set to the last time that

Re: [OpenWrt-Devel] [PATCH v2] base-files: init/sysfixtime - exclude dnsmasq.time

On 23 September 2015 at 01:52, Bastian Bittorf wrote: > dnsmasq maintains dnsmasq.time across reboots and uses it as a means of > determining if current time is good enough to validate dnssec time > stamps. By including /etc/dnsmasq.time as a time source for sysfixtime, >