[OpenWrt-Devel] [PATCH] dnsmasq: remove dnssec timecheck enable on SIGHUP
Toke Høiland-Jørgensen
toke at toke.dk
Thu Oct 1 11:20:47 EDT 2015
Kevin Darbyshire-Bryant <kevin at darbyshire-bryant.me.uk> writes:
> This patch stops SIGHUP from enabling dnssec timechecks if disabled by
> use of --dnssec-no-timecheck option. --dnssec-timestamp continues to
> work correctly.
I'd argue that patching dnsmasq in this way is the wrong way to fix
this. If you're worried about that DOS vector, don't use
--dnssec-no-timecheck but rather use --dnssec-timestamp.
Also, in a scenario where --dnssec-no-timecheck is used, the expectation
is that the time will be fixed in fairly short order (i.e. as soon as
NTP syncs up), so the potential for this being a DOS vector is rather
small I would say... And if you can SIGHUP the process you can also
SIGKILL it.
-Toke
_______________________________________________
openwrt-devel mailing list
openwrt-devel at lists.openwrt.org
https://lists.openwrt.org/cgi-bin/mailman/listinfo/openwrt-devel
More information about the openwrt-devel
mailing list