On 01/10/15 11:37, Etienne Champetier wrote: > Hi, > > 2015-10-01 12:19 GMT+02:00 Kevin Darbyshire-Bryant > <ke...@darbyshire-bryant.me.uk <mailto:ke...@darbyshire-bryant.me.uk>>: > > This patch stops SIGHUP from enabling dnssec timechecks if disabled by > use of --dnssec-no-timecheck option. --dnssec-timestamp continues to > work correctly. > > > I haven't really followed the previous discusion, > but maybe you can just use another signal? The user defined signals USR1 & USR2 are already occupied by dnsmasq with debug/info dump type functions. Maybe one of the SIGTT* signals could be repurposed but I don't know how valid a solution that is.
However even if that were done it still doesn't stop a malicious user/process from sending that new signal and potentially disabling dns resolution (assuming dnssec is being used & the system time is incorrect) Ideally some evaluation of threat presented by 'sysfixtime', 'dnssec timestamp files', 'dnssec no timecheck' and the multi-function 'overloading' of SIGHUP into dnsmasq in the context of dnssec & correct/incorrect system time should take place and an appropriate, considered response and solution proposed/implemented. That person isn't me ;-) I personally think that sysfixtime is a necessary evil, but at the very least at the present moment until a more correct solution is implemented, it should not be using dnsmasq's timestamp file as a source time reference on boot. > > > > Enabling dnssec timechecks now requires restarting dnsmasq without > the --dnssec-no-timecheck configuration option and closes a > potential denial of service exploit by sending SIGHUP when system > time does not correspond with Internet time. > > > > > This change may be useful for future ntpd/dnsmasq hotplug integration. > > > Signed-off-by: Kevin Darbyshire-Bryant > <ke...@darbyshire-bryant.me.uk <mailto:ke...@darbyshire-bryant.me.uk>> > --- > .../dnsmasq/patches/220-dnssec-disable-timecheck-hup.patch | 13 > +++++++++++++ > 1 file changed, 13 insertions(+) > create mode 100644 > > package/network/services/dnsmasq/patches/220-dnssec-disable-timecheck-hup.patch > >
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
