2015-10-01 13:21 GMT+02:00 Kevin Darbyshire-Bryant < ke...@darbyshire-bryant.me.uk>:
> > > On 01/10/15 11:37, Etienne Champetier wrote: > > Hi, > > > > 2015-10-01 12:19 GMT+02:00 Kevin Darbyshire-Bryant > > <ke...@darbyshire-bryant.me.uk <mailto:ke...@darbyshire-bryant.me.uk>>: > > > > This patch stops SIGHUP from enabling dnssec timechecks if disabled > by > > use of --dnssec-no-timecheck option. --dnssec-timestamp continues to > > work correctly. > > > > > > I haven't really followed the previous discusion, > > but maybe you can just use another signal? > The user defined signals USR1 & USR2 are already occupied by dnsmasq > with debug/info dump type functions. Maybe one of the SIGTT* signals > could be repurposed but I don't know how valid a solution that is. > > However even if that were done it still doesn't stop a malicious > user/process from sending that new signal and potentially disabling dns > resolution (assuming dnssec is being used & the system time is incorrect) > you can only signal yourself http://stackoverflow.com/a/13335054/3768051 > > Ideally some evaluation of threat presented by 'sysfixtime', 'dnssec > timestamp files', 'dnssec no timecheck' and the multi-function > 'overloading' of SIGHUP into dnsmasq in the context of dnssec & > correct/incorrect system time should take place and an appropriate, > considered response and solution proposed/implemented. That person > isn't me ;-) > > I personally think that sysfixtime is a necessary evil, but at the very > least at the present moment until a more correct solution is > implemented, it should not be using dnsmasq's timestamp file as a source > time reference on boot. > > > > > > > > > > Enabling dnssec timechecks now requires restarting dnsmasq without > > the --dnssec-no-timecheck configuration option and closes a > > potential denial of service exploit by sending SIGHUP when system > > time does not correspond with Internet time. > > > > > > > > > > This change may be useful for future ntpd/dnsmasq hotplug > integration. > > > > > > Signed-off-by: Kevin Darbyshire-Bryant > > <ke...@darbyshire-bryant.me.uk <mailto:ke...@darbyshire-bryant.me.uk > >> > > --- > > .../dnsmasq/patches/220-dnssec-disable-timecheck-hup.patch | 13 > > +++++++++++++ > > 1 file changed, 13 insertions(+) > > create mode 100644 > > > > package/network/services/dnsmasq/patches/220-dnssec-disable-timecheck-hup.patch > > > > > > >
_______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
