resolution fails when the date of the server is more than 2 days late

Joe Abley jabley at hopcount.ca
Mon Mar 2 11:53:49 UTC 2020


Hi Dysmas,

On Mar 2, 2020, at 01:59, dy1977--- via Unbound-users <
unbound-users at lists.nlnetlabs.nl> wrote:

[...]

But when I don't have used a card for more than 1 or 2 days (I didn't test
the exact threshold), when I start one, I get in a vicious cycle :

The clock is 2 days or more late
All DNS resolutions fail because of this difference
ntp.org calls fail
The clock is not updated
All DNS resolutions fail
And so on...



Dave Knight and I once wrote down some thoughts about the process of
bootstrapping a cold validator onto the network. The draft apparently
didn't seem very interesting to anybody else and wasn't picked up by the
working group, but I think the potential for circular dependencies is worth
documenting.

Our approach was to specify that validation should be disabled following
boot until an accurate sense of time was acquired, which is what many
people in this thread have suggested.

If anybody thinks this document is worth resurrecting and would be happy to
say so out loud in dnsop, let me know. Perhaps providing greater focus on
setting the clock could make this more relevant.

https://tools.ietf.org/html/draft-jabley-dnsop-validator-bootstrap-00


Joe
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.nlnetlabs.nl/pipermail/unbound-users/attachments/20200302/b48dae17/attachment.htm>


More information about the Unbound-users mailing list