-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 28/03/14 07:57, Toke Høiland-Jørgensen wrote: > Simon Kelley <[email protected]> writes: > >> Add a command-line flag to dnsmasq, called --dnssec-no-timecheck >> or something, which disables the checking of RRSIG inception and >> expiry times. This flag is automatically reset when dnsmasq gets >> the SIGHUP signal which causes it to clear the cache and re-read >> (some) configuration. > > One issue with this is that the openwrt init scripts currently take > ages to restart dnsmasq because it has to rebuild the configuration > from uci, which is done in shell.
Which makes this scheme better, since you don't have to restart dnsmasq once the time stabilises, just SIGHUP it. > Other than that I like the approach; it would enable *some* > validation at least (I presume?). All validation apart from checking the dates on the keys would continue. > > Another approach to "exiting" the mode could be that if the flag > is turned off, for each validation attempt, first try to see if the > time *does* validate; if it does, turn off the flag, otherwise > retry the validation while ignoring the time. That would make it > possible to just stick the flag in the configuration and have > things "just work", I think. Only instance I can think of where > this is not true is if some lookup succeeds due to a longer > validity time, which will disable the flag, and then having the > subsequent NTP server lookup fail. Not sure what the probability of > this happening is, though. Neither am I, nut it would be an interesting bug to find..... I'll add --dnssec-no-timecheck when I get a moment today. Cheers, Simon. > > -Toke > -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.11 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlM1PAcACgkQKPyGmiibgrfVRwCaAkzlyNV7rl6TCEImWbyd8ohJ gtQAn3BJe5MneWk1c44ZiZkMNrxHCFIj =Erot -----END PGP SIGNATURE----- _______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
