Re: RPI4 + ntpdate + unbound

From: David Cornejo <dave_at_dogwood.com>
Date: Sat, 02 Jul 2022 08:49:33 UTC
On Fri, Jul 1, 2022 at 6:03 PM John Kennedy <warlock@phouka.net> wrote:
>
>   So I've got a RPI4 (no system time stored in NVRAM) that I did a stock
> type FreeBSD install on setting the time with ntpdate and the unbound
> DNS server (aiming for DNSSEC).  As many people have noted before me,
> that setup is sort of broken because you can't look up DNSSEC hosts if
> you think it's 1970.  No NTP time servers == no date reset == no DNS.
>
>   This example is probably terrible, but starting talk point:
>
>      $ grep -E '(ntpdate|unbound)' /etc/rc.conf
>         ntpdate_enable="YES"
>         ntpdate_XXX_dns="8.8.8.8"
>         ntpdate_hosts="0.freebsd.pool.ntp.org"
>         local_unbound_enable="YES"
>
>   I basically added ntpdate_XXX_dns (pick a better name) to trigger the
> new behavior.  If it at the ntpdate_hosts are set (I needed something to
> feed to the /usr/bin/host program), then I build a list of IPs to feed
> to ntpdate bypassing unbound's DNSSEC lookup.
>
>   The tee to /dev/console is just a way of showing what is processed:
>
>     # /etc/rc.d/ntpdate restart
>         Using domain server:
>         Name: 8.8.8.8
>         Address: 8.8.8.8#53
>         Aliases:
>
>         0.freebsd.pool.ntp.org has address 51.89.85.70
>         0.freebsd.pool.ntp.org has address 23.92.64.226
>         0.freebsd.pool.ntp.org has address 178.62.16.103
>         0.freebsd.pool.ntp.org has address 130.255.77.87
>         XXX ntpdate_hosts -> 51.89.85.70 23.92.64.226 178.62.16.103 130.255.77.87
>         Setting date via ntp.
>          1 Jul 20:39:15 ntpdate[19554]: step time server 178.62.16.103 offset -0.006001 sec
>
>   That is a totally insecure way of ingesting IPs (trusting DNS, which
> might potentially find a way to append shell commands).  But again, just
> a starting point to throw ideas at.
>
> --- /usr/src/libexec/rc/rc.d/ntpdate    2022-06-25 15:39:37.070933000 -0700
> +++ /etc/rc.d/ntpdate   2022-07-01 20:39:01.793869000 -0700
> @@ -25,6 +25,12 @@
>                             else                    {print $2}}
>                 ' < "$ntpdate_config"`
>         fi
> +       if [ -n " $ntpdate_XXX_dns" -a -n "$ntpdate_hosts" ]; then
> +               host $ntpdate_hosts $ntpdate_XXX_dns
> +               ntpdate_hosts=`host 0.freebsd.pool.ntp.org 8.8.8.8 | tee /dev/console | \
> +                       grep 'has address' | sed -E 's/^.* has address (.*$)/\1/' | xargs`
> +               echo "XXX ntpdate_hosts -> $ntpdate_hosts"
> +       fi
>         if [ -n "$ntpdate_hosts" -o -n "$rc_flags" ]; then
>                 echo "Setting date via ntp."
>                 ${ntpdate_program:-ntpdate} $rc_flags $ntpdate_hosts
>

I always hated this about the RPIs - I put a DS3231 on mine and the
problem disappears. (there are cheaper chips, less temperature
compensation that should work fine). Your solution also requires a
working internet connection. I've also added a junk-box stratum 1
server on a UPS, while this was not expensive, it is a lot more than
an add-on clock, When completely isolated from the internet I can
still sync my clocks.

dave c

-- 
Kailua, Hawaiʻi