DNSSEC validating resolver on machines without RTC or wrong date
Paul Wouters
paul at nohats.ca
Mon Apr 17 13:45:44 UTC 2023
On Sun, 16 Apr 2023, Petr Menšík via Unbound-users wrote:
> Like many other systems, Fedora tries to use chrony service to use NTP to
> synchronize and correct the time. Problem is unless the user has configured
> fixed IP or NTP servers were provided by DHCP, it needs to do DNS resolution.
> Fedora uses 2.fedora.pool.ntp.org. ntp.org is not signed, but org. has to
> pass validation. It will never success if the date is wrong and the cache is
> already up, therefore the system relies on it.
>
> I think it is a technical problem there is dependency loop. DNSSEC needs at
> least roughly correct time in for unbound (or any validating resolver) to
> deliver IP for NTP server.
>From a very practical point of view you can change the chrony service
file and use something like
ExecStartPre=unbound-control insecure_add ntp.pool.org
ExecStartPost=dig ntp.pool.org
ExecStartPost=unbound-control insecure_del ntp.pool.org
ExecStartPost=unbound-control flush_zone ntp.pool.org
Paul
More information about the Unbound-users
mailing list