resolution fails when the date of the server is more than 2 days late

Måns Nilsson mansaxel at
Mon Mar 2 07:34:48 UTC 2020

Subject: resolution fails when the date of the server is more than 2 days late Date: Mon, Mar 02, 2020 at 07:59:36AM +0100 Quoting dy1977--- via Unbound-users (unbound-users at
> I could do that by setting the ip address of somewhere, but if this
> ip address changes one day, the system will fail again, so I don't like it.

From a security perspective, it is important that the device fails safe,
that is it will do the least harmful thing to its affected humans. What
this is, is not readily obvious, because computers of course exist in
so many places and for so many reasons (embedded systems even more so,
of course.), that an analysis must be done specifically for the situation
at hand.  Here, it is the loss of trustworthiness in DNSSEC that comes
from querying an unknown resolver. Perhaps it is better to get some
resolution up and take things from there. Perhaps not. 

A few ideas, all bad; 

Is this the only local hardware you've got? Otherwise, the obvious answer
is to get the NTP server via DHCP option. Needs some adjustment, in
order to actually be used.

With control over services offered locallly, you also can get the NTP
client to listen for LAN broadcast/multicast NTP.

You can wrap the NTP startup script in some hackery that uses a
well-known full-service resolver to jumpstart the process, like so:

NTPIP=`dig A +short @`
grep PLACEHOLDER ntp.conf.input 
sed -e "s/PLACEHOLDER/${NTPIP}/" < ntp.conf.input > ntp.conf
diff ntp.conf.input ntp.conf
> server

The best solution is of course to get a RTC on the board. Even when
bad, it will keep the clock reasonable for some time. There are several
solutions, the most common being PCF2127 or ds1307 based i2c clocks.

Then, of course, you have a battery life cycle problem. As we say in
Sweden, any way you turn, your butt points backwards..


/Måns, borderline time-nut. 
Måns Nilsson     primary/secondary/besserwisser/machina
MN-1334-RIPE           SA0XLR            +46 705 989668
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <>

More information about the Unbound-users mailing list