resolution fails when the date of the server is more than 2 days late
Måns Nilsson
mansaxel at besserwisser.org
Mon Mar 2 07:34:48 UTC 2020
Subject: resolution fails when the date of the server is more than 2 days late Date: Mon, Mar 02, 2020 at 07:59:36AM +0100 Quoting dy1977--- via Unbound-users (unbound-users at lists.nlnetlabs.nl):
> I could do that by setting the ip address of ntp.org somewhere, but if this
> ip address changes one day, the system will fail again, so I don't like it.
From a security perspective, it is important that the device fails safe,
that is it will do the least harmful thing to its affected humans. What
this is, is not readily obvious, because computers of course exist in
so many places and for so many reasons (embedded systems even more so,
of course.), that an analysis must be done specifically for the situation
at hand. Here, it is the loss of trustworthiness in DNSSEC that comes
from querying an unknown resolver. Perhaps it is better to get some
resolution up and take things from there. Perhaps not.
A few ideas, all bad;
Is this the only local hardware you've got? Otherwise, the obvious answer
is to get the NTP server via DHCP option. Needs some adjustment, in
order to actually be used.
With control over services offered locallly, you also can get the NTP
client to listen for LAN broadcast/multicast NTP.
You can wrap the NTP startup script in some hackery that uses a
well-known full-service resolver to jumpstart the process, like so:
NTPIP=`dig ntp.se A +short @1.1.1.1`
grep PLACEHOLDER ntp.conf.input
server PLACEHOLDER
sed -e "s/PLACEHOLDER/${NTPIP}/" < ntp.conf.input > ntp.conf
diff ntp.conf.input ntp.conf
1c1
< server PLACEHOLDER
---
> server 194.58.200.20
The best solution is of course to get a RTC on the board. Even when
bad, it will keep the clock reasonable for some time. There are several
solutions, the most common being PCF2127 or ds1307 based i2c clocks.
Then, of course, you have a battery life cycle problem. As we say in
Sweden, any way you turn, your butt points backwards..
</offtopic>
/Måns, borderline time-nut.
--
Måns Nilsson primary/secondary/besserwisser/machina
MN-1334-RIPE SA0XLR +46 705 989668
HUMAN REPLICAS are inserted into VATS of NUTRITIONAL YEAST ...
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 195 bytes
Desc: not available
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20200302/39529ab3/attachment.bin>
More information about the Unbound-users
mailing list