Re: RPI4 + ntpdate + unbound
- Reply: John Kennedy : "Re: RPI4 + ntpdate + unbound"
- In reply to: John Kennedy : "RPI4 + ntpdate + unbound"
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Sat, 02 Jul 2022 08:49:33 UTC
On Fri, Jul 1, 2022 at 6:03 PM John Kennedy <warlock@phouka.net> wrote: > > So I've got a RPI4 (no system time stored in NVRAM) that I did a stock > type FreeBSD install on setting the time with ntpdate and the unbound > DNS server (aiming for DNSSEC). As many people have noted before me, > that setup is sort of broken because you can't look up DNSSEC hosts if > you think it's 1970. No NTP time servers == no date reset == no DNS. > > This example is probably terrible, but starting talk point: > > $ grep -E '(ntpdate|unbound)' /etc/rc.conf > ntpdate_enable="YES" > ntpdate_XXX_dns="8.8.8.8" > ntpdate_hosts="0.freebsd.pool.ntp.org" > local_unbound_enable="YES" > > I basically added ntpdate_XXX_dns (pick a better name) to trigger the > new behavior. If it at the ntpdate_hosts are set (I needed something to > feed to the /usr/bin/host program), then I build a list of IPs to feed > to ntpdate bypassing unbound's DNSSEC lookup. > > The tee to /dev/console is just a way of showing what is processed: > > # /etc/rc.d/ntpdate restart > Using domain server: > Name: 8.8.8.8 > Address: 8.8.8.8#53 > Aliases: > > 0.freebsd.pool.ntp.org has address 51.89.85.70 > 0.freebsd.pool.ntp.org has address 23.92.64.226 > 0.freebsd.pool.ntp.org has address 178.62.16.103 > 0.freebsd.pool.ntp.org has address 130.255.77.87 > XXX ntpdate_hosts -> 51.89.85.70 23.92.64.226 178.62.16.103 130.255.77.87 > Setting date via ntp. > 1 Jul 20:39:15 ntpdate[19554]: step time server 178.62.16.103 offset -0.006001 sec > > That is a totally insecure way of ingesting IPs (trusting DNS, which > might potentially find a way to append shell commands). But again, just > a starting point to throw ideas at. > > --- /usr/src/libexec/rc/rc.d/ntpdate 2022-06-25 15:39:37.070933000 -0700 > +++ /etc/rc.d/ntpdate 2022-07-01 20:39:01.793869000 -0700 > @@ -25,6 +25,12 @@ > else {print $2}} > ' < "$ntpdate_config"` > fi > + if [ -n " $ntpdate_XXX_dns" -a -n "$ntpdate_hosts" ]; then > + host $ntpdate_hosts $ntpdate_XXX_dns > + ntpdate_hosts=`host 0.freebsd.pool.ntp.org 8.8.8.8 | tee /dev/console | \ > + grep 'has address' | sed -E 's/^.* has address (.*$)/\1/' | xargs` > + echo "XXX ntpdate_hosts -> $ntpdate_hosts" > + fi > if [ -n "$ntpdate_hosts" -o -n "$rc_flags" ]; then > echo "Setting date via ntp." > ${ntpdate_program:-ntpdate} $rc_flags $ntpdate_hosts > I always hated this about the RPIs - I put a DS3231 on mine and the problem disappears. (there are cheaper chips, less temperature compensation that should work fine). Your solution also requires a working internet connection. I've also added a junk-box stratum 1 server on a UPS, while this was not expensive, it is a lot more than an add-on clock, When completely isolated from the internet I can still sync my clocks. dave c -- Kailua, Hawaiʻi