DNSSEC validating resolver on machines without RTC or wrong date

Petr Menšík pemensik at redhat.com
Wed Apr 19 19:41:59 UTC 2023

Yes, something like that should work. But I think we lack some systemd 
target, which would announce the time is already synchronized. Then some 
single-run service could have


ExecStartPost=unbound-control insecure_del ntp.pool.org
ExecStartPost=unbound-control flush_zone ntp.pool.org

Without guessing by dig it is already reachable. But yes, something like 
that should work.

I think it may make sense to have unbound-control flush_validate 
command. After I remove insecure flag to ntp.pool.org, I could just 
request revalidation of that that name. If anything under it were 
signed, but did not pass validation before or now, just flush such 
records. In most cases the data are already good, just have to be 
validated and marked secure. It could avoid innecessary new query for 
the same thing.

On 17. 04. 23 15:45, Paul Wouters wrote:
> On Sun, 16 Apr 2023, Petr Menšík via Unbound-users wrote:
>> Like many other systems, Fedora tries to use chrony service to use 
>> NTP to synchronize and correct the time. Problem is unless the user 
>> has configured fixed IP or NTP servers were provided by DHCP, it 
>> needs to do DNS resolution. Fedora uses 2.fedora.pool.ntp.org. 
>> ntp.org is not signed, but org. has to pass validation. It will never 
>> success if the date is wrong and the cache is already up, therefore 
>> the system relies on it.
>> I think it is a technical problem there is dependency loop. DNSSEC 
>> needs at least roughly correct time in for unbound (or any validating 
>> resolver) to deliver IP for NTP server.
> From a very practical point of view you can change the chrony service
> file and use something like
> ExecStartPre=unbound-control insecure_add ntp.pool.org
> ExecStartPost=dig ntp.pool.org
> ExecStartPost=unbound-control insecure_del ntp.pool.org
> ExecStartPost=unbound-control flush_zone ntp.pool.org
> Paul
Petr Menšík
Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the Unbound-users mailing list