RPI4 + ntpdate + unbound

From: John Kennedy <warlock_at_phouka.net>
Date: Sat, 02 Jul 2022 04:02:05 UTC
  So I've got a RPI4 (no system time stored in NVRAM) that I did a stock
type FreeBSD install on setting the time with ntpdate and the unbound
DNS server (aiming for DNSSEC).  As many people have noted before me,
that setup is sort of broken because you can't look up DNSSEC hosts if
you think it's 1970.  No NTP time servers == no date reset == no DNS.

  This example is probably terrible, but starting talk point:

     $ grep -E '(ntpdate|unbound)' /etc/rc.conf
	ntpdate_enable="YES"
	ntpdate_XXX_dns="8.8.8.8"
	ntpdate_hosts="0.freebsd.pool.ntp.org"
	local_unbound_enable="YES"

  I basically added ntpdate_XXX_dns (pick a better name) to trigger the
new behavior.  If it at the ntpdate_hosts are set (I needed something to
feed to the /usr/bin/host program), then I build a list of IPs to feed
to ntpdate bypassing unbound's DNSSEC lookup.

  The tee to /dev/console is just a way of showing what is processed:

    # /etc/rc.d/ntpdate restart
	Using domain server:
	Name: 8.8.8.8
	Address: 8.8.8.8#53
	Aliases:

	0.freebsd.pool.ntp.org has address 51.89.85.70
	0.freebsd.pool.ntp.org has address 23.92.64.226
	0.freebsd.pool.ntp.org has address 178.62.16.103
	0.freebsd.pool.ntp.org has address 130.255.77.87
	XXX ntpdate_hosts -> 51.89.85.70 23.92.64.226 178.62.16.103 130.255.77.87
	Setting date via ntp.
	 1 Jul 20:39:15 ntpdate[19554]: step time server 178.62.16.103 offset -0.006001 sec

  That is a totally insecure way of ingesting IPs (trusting DNS, which
might potentially find a way to append shell commands).  But again, just
a starting point to throw ideas at.

--- /usr/src/libexec/rc/rc.d/ntpdate	2022-06-25 15:39:37.070933000 -0700
+++ /etc/rc.d/ntpdate	2022-07-01 20:39:01.793869000 -0700
@@ -25,6 +25,12 @@
 			    else                    {print $2}}
 		' < "$ntpdate_config"`
 	fi
+	if [ -n " $ntpdate_XXX_dns" -a -n "$ntpdate_hosts" ]; then
+		host $ntpdate_hosts $ntpdate_XXX_dns
+		ntpdate_hosts=`host 0.freebsd.pool.ntp.org 8.8.8.8 | tee /dev/console | \
+			grep 'has address' | sed -E 's/^.* has address (.*$)/\1/' | xargs`
+		echo "XXX ntpdate_hosts -> $ntpdate_hosts"
+	fi
 	if [ -n "$ntpdate_hosts" -o -n "$rc_flags" ]; then
 		echo "Setting date via ntp."
 		${ntpdate_program:-ntpdate} $rc_flags $ntpdate_hosts