DNSSEC validating resolver on machines without RTC or wrong date
m3047-unbound-b3u at m3047.net
Sat Apr 15 23:53:51 UTC 2023
A question can be a good question, without being the right question...
On Sun, 16 Apr 2023, Petr Menšík via Unbound-users wrote:
> [...] I consider it a problem that this wrong date will *not*
> fix automatically in otherwise default configuration.
> Like many other systems, Fedora tries to use chrony service to use NTP to
> synchronize and correct the time. Problem is unless the user has configured
> fixed IP or NTP servers were provided by DHCP, it needs to do DNS resolution.
This is where it starts to go off the rails for me. I mean: where?
Someplace which is neither configured a fixed address or provisioned
with DHCP... and yet is connected to the internet: where is that?
So since when is mDNS protected by DNSSEC? Is mDNS supposed to even
> Fedora uses 2.fedora.pool.ntp.org. ntp.org is not signed, but org. has to
> pass validation.
Is there an internet connection? How does that work without a fixed IP or
DHCP or mDNS?
> I would like to ask opinions how this should be fixed to autocorrect
> auto-magically. I am aware unbound is more usually used on servers, which
> should keep time synced on boot and are not powered off for extended time.
> But I think it is a good choice also for workstations.
This has been an issue with TSIG for forever. If something is that broken,
maybe somebody should wake up and pay attention: what if the whole
datacenter has come adrift of its time moorings? (DAMHIK!)
I really can't picture what network you're envisioning, and if it's DR or
"internet in a box" then that entails forethought.
Convince me that this is a DNS problem...
More information about the Unbound-users