[Dnsmasq-discuss] dnssec-no-timecheck enhancement idea

Simon Kelley simon at thekelleys.org.uk
Mon Feb 9 16:02:22 GMT 2015


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256



On 09/02/15 13:21, Kevin Darbyshire-Bryant wrote:
> Further to my previous email I've cobbled something together, and
> it even appears to work.  There's quite a bit of coding guesswork
> going on here and I really shouldn't be let anywhere near a C
> compiler.  Either way a new option '-dnssec_tvalid=integer' where
> integer is number of seconds since 1970 (epoch)  is implemented.
> If current system clock exceeds this time then dnssec timestamps
> will be checked, until that time they are not.
> 

Answering your previous mail as well, I like this as an idea.

I think the original concept (date after an arbitrary, recent, time id
better if the time really is arbitrary. Putting timestamps in the
start-up infrastructure to pass to dnsmasq is a bit pointless: they
won't be "better" than something compiled into dnsmasq, and they're a
pain to generate (What's the command to spit out "now" in seconds
since 1970?). A bit of makefile wizzardry could compile in "now" at
build time, as another idea.

However it occurs to me that many of the platforms we're talking about
here don't have an RTC, but they _do_ have non-volatile storage. How
about storing "now" to NVRAM every hour, and using _that_ as the time
which must be superceded?


The second path is well on the way, BTW, I'm happy to take it and bash
it into shape, once we agree on exactly what's needed.


Cheers,

Simon.






-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIcBAEBCAAGBQJU2NoNAAoJEBXN2mrhkTWiiogP/025CdFYlymmGe/TU38XLUZy
OhE4V64A2QvpYIPhcN0u/qb+N1ncXDF+ryOSQpuzCOvP+Z8C1D2qXCzFXPgV3//Q
JXFCs7rVyB+yIRcTdqUY2GMIQehNLAZEbj0BabPVauHwl53DcymjbcRJNj3PFSfr
te997PMJJ6ECIK+4P+d4xWGPskLZH+VPp+Qovj+1jFkdN+UlpwjbJdLGh3Cs7TLV
BCnWQmHCEZPIarsQaBpi4ia+qIYeIa2g526Q3oyrHK8lKehdQmJ6O6DxrdT6Avey
XW6kfgpYxEsd1r0Pdg0fCdLeuyk4pYGV4F638m4a1tlBcIV/V3sZakAs+JLjehFS
SceeTTySmJi40nCRK1hUQlbpZiGuAdmZrr7zcz8Zqa60e4k78QRnebc6rpfTPQGP
RWERg0S4MFZa5z5x2nkILjFr68hu/fFvEj4rDszUVxw5BQNf1v6SPaHVL9bU+Epn
pd4ImUSACI3CJU9FW6FD4hwHJ3k9qjfLZ9g2/KdKub0zFi/G7Fi+5M62+m10uzYL
HmdyxXTCOZgzsIujyCCK7Gq+x8lLIdp8bW7VndNaiUoaQDS+9L0jlprrZJ6bJvwE
fqRtx3W2/u3JX9RNRJZ7Sa+VWb7at9Q1F0yVFFrpRBEPdvZQx3+H3hK+yBlZH49I
NAik9+naWIawtASuXtoG
=hvp8
-----END PGP SIGNATURE-----



More information about the Dnsmasq-discuss mailing list