DNSSEC validating resolver on machines without RTC or wrong date

Fred Morris m3047-unbound-b3u at m3047.net
Sat Apr 15 23:53:51 UTC 2023

A question can be a good question, without being the right question...

On Sun, 16 Apr 2023, Petr Menšík via Unbound-users wrote:
> [...] I consider it a problem that this wrong date will *not* 
> fix automatically in otherwise default configuration.
> Like many other systems, Fedora tries to use chrony service to use NTP to 
> synchronize and correct the time. Problem is unless the user has configured 
> fixed IP or NTP servers were provided by DHCP, it needs to do DNS resolution.

This is where it starts to go off the rails for me. I mean: where? 
Someplace which is neither configured a fixed address or provisioned 
with DHCP... and yet is connected to the internet: where is that?

So since when is mDNS protected by DNSSEC? Is mDNS supposed to even 
require internet?

> Fedora uses 2.fedora.pool.ntp.org. ntp.org is not signed, but org. has to 
> pass validation.

Is there an internet connection? How does that work without a fixed IP or 

> [...]
> I would like to ask opinions how this should be fixed to autocorrect 
> auto-magically. I am aware unbound is more usually used on servers, which 
> should keep time synced on boot and are not powered off for extended time. 
> But I think it is a good choice also for workstations.

This has been an issue with TSIG for forever. If something is that broken, 
maybe somebody should wake up and pay attention: what if the whole 
datacenter has come adrift of its time moorings? (DAMHIK!)

I really can't picture what network you're envisioning, and if it's DR or 
"internet in a box" then that entails forethought.

Convince me that this is a DNS problem...


Fred Morris

More information about the Unbound-users mailing list