On Sun, Mar 30, 2014 at 6:21 AM, Toke Høiland-Jørgensen <[email protected]> wrote: > Dave Taht <[email protected]> writes: > >> Well I strongly favor less interdependency between ntp, a monitoring >> script, and dnsmasq. > > Well, the reverse dependency (i.e. the modification of the ntpd startup > script) is not strictly needed, so the dependency could be made to be > one-way (it kinda is already). Also, in case ntpd is missing it's quite > easy to just bail out and start dnsmasq in full validation mode. > > The nice thing about this switch to dnsmasq is that it does validation > of the chain, just ignoring validity times; which presumably would make > it harder to exploit as you'd need an actual valid key, rather than just > be able to spoof the packets reply of the non-validated query... > >> I'd kind of like some sort of check on validating the dns roots, if it >> fails due to the time being wrong, disable dnssec and wait for clock >> slew. > > Well conceivably you could be in a situation where the roots validate, > but validation fails further down the chain, making that scheme fail in > weird and unpredictable ways?
http://www.bortzmeyer.org/dns-routing-hijack-turkey.html ? >> Another other alternative is a ntp that does a query with the >> authenticate bit off, all the time. > > This would involve teaching the uclibc resolver about the CD bit and > expose it in the resolver API I think. Can look into how difficult this > actually is to do; with the caveat that I'm not exactly an expert on > such code :P > > Also, see above re: validation modes. > >> On Sat, Mar 29, 2014 at 2:21 PM, Michael Richardson <[email protected]> >> wrote: >>> >>> This process needs to be written up as an IETF BCP. > > I'll be happy to write something up once we actually settle on something :) > > -Toke -- Dave Täht Fixing bufferbloat with cerowrt: http://www.teklibre.com/cerowrt/subscribe.html _______________________________________________ Cerowrt-devel mailing list [email protected] https://lists.bufferbloat.net/listinfo/cerowrt-devel
