On Wed, 17 Jul 2013, Chris Adams wrote:
Once upon a time, Paul Wouters <pwouters@xxxxxxxxxx> said:
I understand the query. But you would either need to bypass the local
dns caching resolver or flush the cache afterwards. The second option has
a race condition, but the first has the problem that we are trying to reduce the
number of applications that modify /etc/resolv.conf to one (NM).
No, you don't have to bypass or flush the cache. The cache will hold
the records whether you request validation or not; the difference is in
the answer you get when you query the cache with/without validation
requested.
No, data with RRSIGs failing validation (due to bad time) will never
enter into the cache, regardless of whether your dns query requested
DNSSEC validation. So to get those, you must accept anything, ergo
disable validation completely. Once in the cache, there is no way to
remove them. That's why dnssec-triggerd uses resolv.conf to bring the
dnssec resolver "offline" while doing hotspot authentication, then moves
is back in resolv.conf afterwards.
That's not very compatible with other fs'es. What if someone is
upgrading from ext3? Or using brtfs? Or something new? I'd rather see a
more generic method of writing a timestamp to a well known location.
ext3 also has the last-written field (I think it goes back to ext2 as
well). I don't know about btrfs.
I like the fake-hwclock idea suggested in this thread.
Paul
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
