[OpenWrt-Devel] [PATCH] dnsmasq: remove dnssec timecheck enable on SIGHUP

Kevin Darbyshire-Bryant kevin at darbyshire-bryant.me.uk
Thu Oct 1 11:37:03 EDT 2015



On 01/10/15 16:20, Toke Høiland-Jørgensen wrote:
> Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk> writes:
>
>> This patch stops SIGHUP from enabling dnssec timechecks if disabled by
>> use of --dnssec-no-timecheck option.  --dnssec-timestamp continues to
>> work correctly.
> I'd argue that patching dnsmasq in this way is the wrong way to fix
> this. If you're worried about that DOS vector, don't use
> --dnssec-no-timecheck but rather use --dnssec-timestamp.
Hi Toke, small world :-)

Could I kindly ask you to read
https://patchwork.ozlabs.org/patch/521344/ particularly with regards to
Yousong's comments.  You'll hopefully appreciate the irony of your
suggestion and how things (by which I mean 'I') have been sent on a bit
of a merry-go-round of late.


>
> Also, in a scenario where --dnssec-no-timecheck is used, the expectation
> is that the time will be fixed in fairly short order (i.e. as soon as
> NTP syncs up), so the potential for this being a DOS vector is rather
> small I would say... And if you can SIGHUP the process you can also
> SIGKILL it.
>
> -Toke
I couldn't agree more.  But in order to cover one's backside AND because
SIGHUP is used for multiple things, e.g. poking dnsmasq to get it to
re-read some files, there's a possibility that it could be poked to
re-read config files (good) but with a side effect of checking dnssec
timestamps at exactly the wrong moment ie. before time is made correct (bad)

I think I'm actually trying to be helpful but I'm stepping off now
before I .....well I'm not sure what before, but just before ;-)   Back
to sqm.

Kevin



-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4816 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20151001/c489a48e/attachment.p7s>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel


More information about the openwrt-devel mailing list