[OpenWrt-Devel] [PATCH] dnsmasq: remove dnssec timecheck enable on SIGHUP
Kevin Darbyshire-Bryant
kevin at darbyshire-bryant.me.uk
Thu Oct 1 08:12:54 EDT 2015
On 01/10/15 12:56, Etienne Champetier wrote:
>
>
> 2015-10-01 13:21 GMT+02:00 Kevin Darbyshire-Bryant
> <kevin at darbyshire-bryant.me.uk <mailto:kevin at darbyshire-bryant.me.uk>>:
>
>
>
> On 01/10/15 11:37, Etienne Champetier wrote:
> > Hi,
> >
> > 2015-10-01 12:19 GMT+02:00 Kevin Darbyshire-Bryant
> > <kevin at darbyshire-bryant.me.uk
> <mailto:kevin at darbyshire-bryant.me.uk>
> <mailto:kevin at darbyshire-bryant.me.uk
> <mailto:kevin at darbyshire-bryant.me.uk>>>:
> >
> > This patch stops SIGHUP from enabling dnssec timechecks if
> disabled by
> > use of --dnssec-no-timecheck option. --dnssec-timestamp
> continues to
> > work correctly.
> >
> >
> > I haven't really followed the previous discusion,
> > but maybe you can just use another signal?
> The user defined signals USR1 & USR2 are already occupied by dnsmasq
> with debug/info dump type functions. Maybe one of the SIGTT* signals
> could be repurposed but I don't know how valid a solution that is.
>
> However even if that were done it still doesn't stop a malicious
> user/process from sending that new signal and potentially
> disabling dns
> resolution (assuming dnssec is being used & the system time is
> incorrect)
>
>
> you can only signal yourself
> http://stackoverflow.com/a/13335054/3768051
It runs as nobody. So do other processes. I didn't raise the security
flag ;-)
>
>
>
> Ideally some evaluation of threat presented by 'sysfixtime', 'dnssec
> timestamp files', 'dnssec no timecheck' and the multi-function
> 'overloading' of SIGHUP into dnsmasq in the context of dnssec &
> correct/incorrect system time should take place and an appropriate,
> considered response and solution proposed/implemented. That person
> isn't me ;-)
>
That statement still stands.
> I personally think that sysfixtime is a necessary evil, but at the
> very
> least at the present moment until a more correct solution is
> implemented, it should not be using dnsmasq's timestamp file as a
> source
> time reference on boot.
>
>
> >
> >
> >
> > Enabling dnssec timechecks now requires restarting dnsmasq
> without
> > the --dnssec-no-timecheck configuration option and closes a
> > potential denial of service exploit by sending SIGHUP when
> system
> > time does not correspond with Internet time.
> >
> >
> >
> >
> > This change may be useful for future ntpd/dnsmasq hotplug
> integration.
> >
> >
> > Signed-off-by: Kevin Darbyshire-Bryant
> > <kevin at darbyshire-bryant.me.uk
> <mailto:kevin at darbyshire-bryant.me.uk>
> <mailto:kevin at darbyshire-bryant.me.uk
> <mailto:kevin at darbyshire-bryant.me.uk>>>
> > ---
> > .../dnsmasq/patches/220-dnssec-disable-timecheck-hup.patch
> | 13
> > +++++++++++++
> > 1 file changed, 13 insertions(+)
> > create mode 100644
> >
> package/network/services/dnsmasq/patches/220-dnssec-disable-timecheck-hup.patch
> >
> >
>
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4816 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20151001/ac85dd0d/attachment.p7s>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list