DNSSEC validating resolver on machines without RTC or wrong date

Paul Wouters paul at nohats.ca
Mon Apr 17 13:45:44 UTC 2023

On Sun, 16 Apr 2023, Petr Menšík via Unbound-users wrote:

> Like many other systems, Fedora tries to use chrony service to use NTP to 
> synchronize and correct the time. Problem is unless the user has configured 
> fixed IP or NTP servers were provided by DHCP, it needs to do DNS resolution. 
> Fedora uses 2.fedora.pool.ntp.org. ntp.org is not signed, but org. has to 
> pass validation. It will never success if the date is wrong and the cache is 
> already up, therefore the system relies on it.
> I think it is a technical problem there is dependency loop. DNSSEC needs at 
> least roughly correct time in for unbound (or any validating resolver) to 
> deliver IP for NTP server.

>From a very practical point of view you can change the chrony service
file and use something like

ExecStartPre=unbound-control insecure_add ntp.pool.org

ExecStartPost=dig ntp.pool.org
ExecStartPost=unbound-control insecure_del ntp.pool.org
ExecStartPost=unbound-control flush_zone ntp.pool.org


More information about the Unbound-users mailing list