unbound and ntp issuse

Ronald Klop ronald-lists at klop.ws
Tue Jun 7 15:12:29 UTC 2016 

On Tue, 07 Jun 2016 12:43:35 +0200, Slawa Olhovchenkov <slw at zxy.spb.ru>  
wrote:

> On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote:
>
>> Like i said you could configure ntpdate as well as ntpd, but give it a
>> known good ip. It will only run once at boot, and ntpd will start after  
>> so
>> that can use the nice pool names.
>>
>> A slightly better way maybe to give ntpdate a server hostname like
>> ntp-server and populated the hosts file with one of the ips from
>> pool.ntp.org. You could then have a periodic script to check and update  
>> the
>> ip in the hosts every day, so it works over a reboot. The ip would
>> obviously have to have an initial seed value, but you could work this  
>> out
>> progmatically at system configuration time with tools like ansible.
>
> What purpose don't do it by standart scripts from base systems?
> Enforcing DNSSEC must be prevent this strange works on all systems
> lack CMOS time.


If the system lacks CMOS time it is hard to fix this problem. It is not  
only about NTP+DNSSEC, but also about the lack of timekeeping. This  
timekeeping problem can be solved by using a local ntp-server. That would  
break the deadlock of NTP+DNSSEC.

Ronald.


> I am not expert in sh scripting for this automation.
>
>> On 7 June 2016 at 09:47, Slawa Olhovchenkov <slw at zxy.spb.ru> wrote:
>>
>> > On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote:
>> >
>> > > Well there is a deadlock situation there so you have to relax one  
>> of the
>> > > conditions, for one time at least.
>> > >
>> > > Your best bet is to do a manual ntpdate against a fixed ip of known
>> > > goodness. If you have a lot of machines you need to do this on, use
>> > ansible
>> > > or similar to do the heavy lifting for you. Ansible is best in my  
>> opinion
>> > > if you dont have anything setup as its quick to get going. It does
>> > require
>> > > python on the target machines so you would need to install that  
>> first.
>> > > Something like the following should get it working (as you dont  
>> have dns
>> > on
>> > > the target machine, package fetches wont work, so i would tunnel a  
>> squid
>> > > proxy and let that handle all the internet stuff.
>> > >
>> > > add something like the following to your ssh_config
>> > >
>> > > Host *
>> > > RemoteForward 31280 squid_server:3128
>> > >
>> > > then run some stuff like this (after installing ansible on your
>> > > desktop/bastion host)
>> > >
>> > > ansible  -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy=
>> > > http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i
>> > > <host_list_file> -kS --ask-su-pass
>> > >
>> > > ansible  -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy=
>> > > http://127.0.0.1:31280 pkg install python' -u root -i  
>> <host_list_file>
>> > > -kS --ask-su-pass
>> > >
>> > > ansible -m shell -a "ntpdate <good_ntp_server_ip>"  -kS  
>> --ask-su-pass -i
>> > > <host_list_file>
>> > >
>> > > from here on you should be able to start unbound and then ntpd eg
>> > >
>> > > ansible -m service -a "name=local_unbound state=restarted"
>> > >  -kS --ask-su-pass -i <host_list_file>
>> > > ansible -m service -a "name=ntpd state=restarted"  -kS  
>> --ask-su-pass -i
>> > > <host_list_file
>> > >
>> > > Alternatively you could just relax your dnssec rules on first boot  
>> to
>> > give
>> > > ntp a chance. Probably much easier 8)
>> >
>> > How I am do it? I am don't touch dnssec rules and don't know unbound.
>> > May be this is posible by startup scripts?
>> > Also, some platforms lack of CMOS time, RPi, for example.
>> >
>> > > Also make sure you are using the '-g' flag on ntpd
>> >
>> > Yes, I am add `ntpd_sync_on_start=yes` to rc.conf.
>> > I am suggest do it by checkbox in bsdinstall.
>> >
>> >
>> > > On 6 June 2016 at 14:50, Slawa Olhovchenkov <slw at zxy.spb.ru> wrote:
>> > >
>> > > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote:
>> > > >
>> > > > > Slawa Olhovchenkov <slw at zxy.spb.ru> writes:
>> > > > >
>> > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert  
>> wrote:
>> > > > > >
>> > > > > >> Slawa Olhovchenkov <slw at zxy.spb.ru> writes:
>> > > > > >>
>> > > > > >> > Default install with local_unbound and ntpd can't be  
>> functional
>> > with
>> > > > > >> > incorrect date/time in BIOS:
>> > > > > >> >
>> > > > > >> > Unbound requred correct time for DNSSEC check and refuseing
>> > queries
>> > > > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed  
>> to
>> > prime
>> > > > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
>> > > > > >> >
>> > > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf  
>> --
>> > only
>> > > > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result --  
>> can't
>> > > > > >> > resolve (see above, about DNSKEY).
>> > > > > >>
>> > > > > >> I can't see how this would happen. DNSSEC doesn't seem to be
>> > required
>> > > > in
>> > > > > >> a regular install as far as I can see. Certainly I don't  
>> have any
>> > > > > >
>> > > > > > I don't know reasson for enforcing DNSSEC in regular install.
>> > > > > > I am just select `local_unbound` at setup time and enter
>> > `127.0.0.1` as
>> > > > > > nameserver address.
>> > > > >
>> > > > > That's not enough to configure unbound as a fully recursive DNS
>> > > > > server.
>> > > >
>> > > > What I am missing?
>> > > > Need to fix unbound setup scripts? bsdinstall scripts?
>> > > > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf  
>> and
>> > > > configured unbound as fully recursive DNS server.
>> > > >
>> > > > > If your system gets its address through DHCP, it is probably
>> > > > > getting DNS server addresses as well, and would work fine  
>> *without*
>> > your
>> > > > > configuring any of the DNS state.
>> > > >
>> > > > I am have static address and don't getting DNS server address.
>> > > >
>> > > > > >> problem on any of my systems, and I've never configured an  
>> anchor
>> > on
>> > > > the
>> > > > > >> internal systems.
>> > > > > >>
>> > > > > >> > IMHO, ntp.conf need to include some numeric IP of public  
>> ntp
>> > > > servers.
>> > > > > >>
>> > > > > >> Ouch; that's a terrible idea, for several different reasons.
>> > > > > >
>> > > > > > What else?
>> > > > >
>> > > > > All the normal reasons that hard-coding IP addresses is a bad  
>> idea;
>> > they
>> > > > > can change, you're encouraging a lot of people to use the same  
>> ones,
>> > etc.
>> > > >
>> > > > And how to resolve this issuse:
>> > > >
>> > > > - default install with unbound as recursive DNS server (by default
>> > > >   enforcing DNSSEC)
>> > > > - ntp time synchronisation
>> > > > - stale CMOS time (2008 year)
>> > > > _______________________________________________
>> > > > freebsd-stable at freebsd.org mailing list
>> > > > https://lists.freebsd.org/mailman/listinfo/freebsd-stable
>> > > > To unsubscribe, send any mail to "
>> > freebsd-stable-unsubscribe at freebsd.org"
>> > > >
>> >
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"

More information about the freebsd-stable mailing list