On 03/26/2014 12:36 PM, Aaron Wood wrote: > I also don't consider the ntp/dnssec issue a blocker, not at the moment. > It's a larger problem to solve, and one that needs solving in a wider context > than just CeroWRT, and so we should keep working on a solution, but not make > it a "release blocking" issue. It's a known issue, a known bit of research > to continue chiseling away it, but not a major blocker. > > Especially since we can always switch to raw-ip addresses for the ntp > servers, as a workaround. > > But I like some of the workarounds suggested such as starting secure, and > then slowly ratching down the security as things fail. So long as we don't > expose a way to cripple the unit, or otherwise coerce it into misbehavior, I > think we'll find a solution along those routes.
This suggests using 'tlsdate', or the dhcp time option (if provided by another DHCP server): http://tools.ietf.org/id/draft-mglt-homenet-dnssec-validator-dhc-options-01.txt tlsdate looks interesting, as you'd still have *some* protection from the TLS certificate check, even if you patch it to fallback to an insecure DNS lookup. Best regards, --Edwin _______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
