F20 Self Contained Change: Remove deprecated calls of using ntpdate in favor of ntpd
Paul Wouters
pwouters at redhat.com
Wed Jul 17 17:50:31 UTC 2013
On Wed, 17 Jul 2013, Chris Adams wrote:
> Once upon a time, Paul Wouters <pwouters at redhat.com> said:
>> I understand the query. But you would either need to bypass the local
>> dns caching resolver or flush the cache afterwards. The second option has
>> a race condition, but the first has the problem that we are trying to reduce the
>> number of applications that modify /etc/resolv.conf to one (NM).
>
> No, you don't have to bypass or flush the cache. The cache will hold
> the records whether you request validation or not; the difference is in
> the answer you get when you query the cache with/without validation
> requested.
No, data with RRSIGs failing validation (due to bad time) will never
enter into the cache, regardless of whether your dns query requested
DNSSEC validation. So to get those, you must accept anything, ergo
disable validation completely. Once in the cache, there is no way to
remove them. That's why dnssec-triggerd uses resolv.conf to bring the
dnssec resolver "offline" while doing hotspot authentication, then moves
is back in resolv.conf afterwards.
>> That's not very compatible with other fs'es. What if someone is
>> upgrading from ext3? Or using brtfs? Or something new? I'd rather see a
>> more generic method of writing a timestamp to a well known location.
>
> ext3 also has the last-written field (I think it goes back to ext2 as
> well). I don't know about btrfs.
I like the fake-hwclock idea suggested in this thread.
Paul
More information about the devel
mailing list