[OpenWrt-Devel] [PATCH v2] base-files: init/sysfixtime - exclude dnsmasq.time

[Yousong Zhou]

Hi, hope this comment is not too late :)

On 23 September 2015 at 17:12, Steven Barth <cyrus at openwrt.org> wrote:
> Using --dnssec-no-timecheck is impractical since it reacts to SIGHUP which
> is already overloaded and might be triggered by e.g. config changes.
>

Agree.  I did not check the source code, but it's bad design if it is
indeed the case that dnssec time check will be enabled on any
condition on receiving SIGHUP signal which is already there for config
reload.

> Btw. an ntp hotplug infrastructure exists:
> https://dev.openwrt.org/changeset/43421
>
> Please also consider that some devices have an RTC, so disabling timecheck
> indiscriminately at startup might not be ideal either.
>

To be honest, I have little prior experience with the DNSSEC protocol
details.  But considering principles of least privilege and smaller
attack surface, the DNSSEC time check SHOULD be disabled by default
when no reliable time source is available.  The timestamp file is more
like a compromise and compromise is a negative word when talking about
security.

Then how do you guys think about the following proposal

 - An option like "dnssec_time_check" can be provided to let users
switch it on explicitly if they know what's the effect will be and are
okay with it
 - If no option was explicitly specified, then we might check the
availability of rtc in service script and enable the time check if
it's there

Regards,

                yousong

>
>
> Cheers,
>
> Steven
> _______________________________________________
> openwrt-devel mailing list
> openwrt-devel at lists.openwrt.org
> https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel