[Dnsmasq-discuss] dnssec-no-timecheck enhancement idea

Kevin Darbyshire-Bryant kevin at darbyshire-bryant.me.uk
Sat Feb 7 19:58:02 GMT 2015


Hi Simon,

I've no idea how to go about coding this but I've an idea/requirement
for something along these lines.  It's similar to 'dnssec-no-timecheck'
chicken & egg but a bit more automated.

1) Set a 'check signature time' flag as false.
2) If flag is false, then check the current time of day.  If time of day
is greater than some provided value, say 'year 2015' then set 'check
time signature' as true and now check DNSSEC signature times.

The above assumes that for those devices that don't support a RTC that
they'll default to a time 'much in the past', therefore anything greater
it is 'assumed' that the time has been set correctly via ntp and that
signature checking should go ahead.  To my mind this makes handling
restarting dnsmasq in embedded environments much easier as no
'-SIGHUP'age required, along with the intelligence to automatically
sighup after a brief period of time on a restart.

Thoughts?  Am I talking out of my backside (again)?

Kevin


-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4791 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.thekelleys.org.uk/pipermail/dnsmasq-discuss/attachments/20150207/bca4e7e3/attachment.bin>


More information about the Dnsmasq-discuss mailing list