-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 22/03/14 19:38, Toke Høiland-Jørgensen wrote: > Simon Kelley <[email protected]> writes: > >> One possibility would be to store the current time in NVRAM. When >> the router comes up, that gives a lower bound on the current >> time, and would solve attacks using old keys. > > This is already implemented (basically it finds the most recently > modified file in /etc and sets the time to that; I think there's > also a script that periodically refreshes some file there), and > works to keep time during a reboot. However, when first flashing an > image, the time will be whatever time that image was created... > >> Less drastic would be to disable the key-time checks for this >> phase. Simplest would be a config flag: start it up with that >> flag whilst NTP does its stuff, them restart without when the >> clock is OK. Another option would be to disable the checks when >> the query arrives from a "magic" loopback address: maybe >> 127.110.116.112 (127.'n'.'t'.'p') > > The magic address would require the resolver and/or the ntp daemon > to be patched? What about a config option that adds a grace time? > Say enable dnssec after N seconds?
That would be possible: it would require care to make it work in the face of the system time being warped by NTP. Best way may be to use times() rather than time() Cheers, Simon. > > -Toke > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlMt56gACgkQKPyGmiibgrfafgCeJVIyxtGXLfkh/YaLkQ9QaTzM /Q4AoJiWKjwnwVlU+3v75asbK39cuImx =AJrb -----END PGP SIGNATURE----- _______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
