Hi, hope this comment is not too late :) On 23 September 2015 at 17:12, Steven Barth <cy...@openwrt.org> wrote: > Using --dnssec-no-timecheck is impractical since it reacts to SIGHUP which > is already overloaded and might be triggered by e.g. config changes. >
Agree. I did not check the source code, but it's bad design if it is indeed the case that dnssec time check will be enabled on any condition on receiving SIGHUP signal which is already there for config reload. > Btw. an ntp hotplug infrastructure exists: > https://dev.openwrt.org/changeset/43421 > > Please also consider that some devices have an RTC, so disabling timecheck > indiscriminately at startup might not be ideal either. > To be honest, I have little prior experience with the DNSSEC protocol details. But considering principles of least privilege and smaller attack surface, the DNSSEC time check SHOULD be disabled by default when no reliable time source is available. The timestamp file is more like a compromise and compromise is a negative word when talking about security. Then how do you guys think about the following proposal - An option like "dnssec_time_check" can be provided to let users switch it on explicitly if they know what's the effect will be and are okay with it - If no option was explicitly specified, then we might check the availability of rtc in service script and enable the time check if it's there Regards, yousong > > > Cheers, > > Steven > _______________________________________________ > openwrt-devel mailing list > openwrt-devel@lists.openwrt.org > https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
