[OpenWrt-Devel] [PATCH v2] base-files: init/sysfixtime - exclude dnsmasq.time
Kevin Darbyshire-Bryant
kevin at darbyshire-bryant.me.uk
Wed Sep 30 05:21:31 EDT 2015
On 30/09/15 03:22, Yousong Zhou wrote:
> Hi, hope this comment is not too late :)
To be blunt I've given up. There's a 'companion' patch
https://patchwork.ozlabs.org/patch/522968/ which also is mentally in the
same state.
Ultimately if ntpd can be persuaded to set a flag when it considers time
valid, then dnsmasq can be started with '--dnssec-no-timecheck' when
invalid and without '--dnssec-no-timecheck' when it is valid
irrespective of local (correctly?) set RTC. There's clearly a hole in
the sense that if dnssec is sent SIGHUP whilst -dnssec-no-timecheck is
included AND the time hasn't been set correctly then name resolution
will stop. Removing the 'SIGHUP' awareness of dnssec-no-timecheck from
what I remember of the code would be a trivial patch. ntpd should
completely restart dnsmasq to ensure its cache is completely security
validated.
This would also cope with the case where sysfixtime has picked up a
'naughty' file and set the time far in the future, though now I'm
mentally having issues with time going backwards.
I quote pertinent options from the dnsmasq man page for reference:
*--dnssec*
Validate DNS replies and cache DNSSEC data. When forwarding DNS
queries, dnsmasq requests the DNSSEC records needed to validate the
replies. The replies are validated and the result returned as the
Authenticated Data bit in the DNS packet. In addition the DNSSEC
records are stored in the cache, making validation by clients more
efficient. Note that validation by clients is the most secure DNSSEC
mode, but for clients unable to do validation, use of the AD bit set
by dnsmasq is useful, provided that the network between the dnsmasq
server and the client is trusted. Dnsmasq must be compiled with
HAVE_DNSSEC enabled, and DNSSEC trust anchors provided, see
*--trust-anchor.* Because the DNSSEC validation process uses the
cache, it is not permitted to reduce the cache size below the
default when DNSSEC is enabled. The nameservers upstream of dnsmasq
must be DNSSEC-capable, ie capable of returning DNSSEC records with
data. If they are not, then dnsmasq will not be able to determine
the trusted status of answers. In the default mode, this menas that
all replies will be marked as untrusted. If
*--dnssec-check-unsigned* is set and the upstream servers don't
support DNSSEC, then DNS service will be entirely broken.
*--dnssec-check-unsigned*
As a default, dnsmasq does not check that unsigned DNS replies are
legitimate: they are assumed to be valid and passed on (without the
"authentic data" bit set, of course). This does not protect against
an attacker forging unsigned replies for signed DNS zones, but it is
fast. If this flag is set, dnsmasq will check the zones of unsigned
replies, to ensure that unsigned replies are allowed in those zones.
The cost of this is more upstream queries and slower performance.
See also the warning about upstream servers in the section on
*--dnssec*
*--dnssec-no-timecheck*
DNSSEC signatures are only valid for specified time windows, and
should be rejected outside those windows. This generates an
interesting chicken-and-egg problem for machines which don't have a
hardware real time clock. For these machines to determine the
correct time typically requires use of NTP and therefore DNS, but
validating DNS requires that the correct time is already known.
Setting this flag removes the time-window checks (but not other
DNSSEC validation.) only until the dnsmasq process receives SIGHUP.
The intention is that dnsmasq should be started with this flag when
the platform determines that reliable time is not currently
available. As soon as reliable time is established, a SIGHUP should
be sent to dnsmasq, which enables time checking, and purges the
cache of DNS records which have not been throughly checked.
*--dnssec-timestamp=<path>*
Enables an alternative way of checking the validity of the system
time for DNSSEC (see --dnssec-no-timecheck). In this case, the
system time is considered to be valid once it becomes later than the
timestamp on the specified file. The file is created and its
timestamp set automatically by dnsmasq. The file must be stored on a
persistent filesystem, so that it and its mtime are carried over
system restarts. The timestamp file is created after dnsmasq has
dropped root, so it must be in a location writable by the
unprivileged user that dnsmasq runs as.
Note, by default openwrt uses 'dnssec, dnssec-check-unsigned,
dnssec-timestamp' - The man page arguably doesn't also emphasize enough
that if signature checking is enabled and the current time is incorrect
then resolution will fail (everything marked as bogus)
I await a new patch from a much better coder than me with enthusiasm!
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/pkcs7-signature
Size: 4816 bytes
Desc: S/MIME Cryptographic Signature
URL: <http://lists.infradead.org/pipermail/openwrt-devel/attachments/20150930/04a05157/attachment.p7s>
-------------- next part --------------
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list