On Tue, 2016-06-07 at 12:10 +0100, krad wrote:> whops that should be
>
> ntpdate_hosts not servers
>
These suggestions are essentially insane because they're ignoring the
basic fact that the freebsd installer creates a non-working system. If
unbound requires DNSSEC, and DNSSEC requires good time, and good time
requires hostname resolution, then that circular dependency is a
problem that the freebsd project needs to fix, not something to be
hacked around by each individual sysadmin.
It is a bit disturbing to me that the project members who created this
situation have been silent in the face of *months* of reporting of it
by several different users.
-- Ian
>
> On 7 June 2016 at 12:09, krad <kraduk at gmail.com> wrote:
>
> > something as simple as this thrown in /etc/periodic/daily/ would
> > probably
> > do it.
> >
> > #!/bin/sh
> > ip=`dig pool.ntp.org +short | head -1'
> > cp /etc/hosts /etc/hosts.old &&
> > sed -e "s/.*ntp-server/$ip ntp-server/" /etc/hosts.old
>
> > /etc/hosts
> >
> >
> > with these lines in rc.conf
> > ntpdate_enable=yes
> > ntpdate_servers="ntp-server"
> >
> >
> >
> >
> >
> > On 7 June 2016 at 11:43, Slawa Olhovchenkov <slw at zxy.spb.ru>
wrote:
> >
> > > On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote:
> > >
> > > > Like i said you could configure ntpdate as well as ntpd, but
> > > > give it a
> > > > known good ip. It will only run once at boot, and ntpd will
> > > > start after
> > > so
> > > > that can use the nice pool names.
> > > >
> > > > A slightly better way maybe to give ntpdate a server
hostname
> > > > like
> > > > ntp-server and populated the hosts file with one of the ips
> > > > from
> > > > pool.ntp.org. You could then have a periodic script to check
> > > > and
> > > update the
> > > > ip in the hosts every day, so it works over a reboot. The ip
> > > > would
> > > > obviously have to have an initial seed value, but you could
> > > > work this
> > > out
> > > > progmatically at system configuration time with tools like
> > > > ansible.
> > >
> > > What purpose don't do it by standart scripts from base
systems?
> > > Enforcing DNSSEC must be prevent this strange works on all
> > > systems
> > > lack CMOS time.
> > >
> > > I am not expert in sh scripting for this automation.
> > >
> > > > On 7 June 2016 at 09:47, Slawa Olhovchenkov <slw at
zxy.spb.ru>
> > > > wrote:
> > > >
> > > > > On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote:
> > > > >
> > > > > > Well there is a deadlock situation there so you
have to
> > > > > > relax one
> > > of the
> > > > > > conditions, for one time at least.
> > > > > >
> > > > > > Your best bet is to do a manual ntpdate against a
fixed ip
> > > > > > of known
> > > > > > goodness. If you have a lot of machines you need
to do this
> > > > > > on, use
> > > > > ansible
> > > > > > or similar to do the heavy lifting for you.
Ansible is best
> > > > > > in my
> > > opinion
> > > > > > if you dont have anything setup as its quick to
get going.
> > > > > > It does
> > > > > require
> > > > > > python on the target machines so you would need to
install
> > > > > > that
> > > first.
> > > > > > Something like the following should get it working
(as you
> > > > > > dont
> > > have dns
> > > > > on
> > > > > > the target machine, package fetches wont work, so
i would
> > > > > > tunnel a
> > > squid
> > > > > > proxy and let that handle all the internet stuff.
> > > > > >
> > > > > > add something like the following to your
ssh_config
> > > > > >
> > > > > > Host *
> > > > > > RemoteForward 31280 squid_server:3128
> > > > > >
> > > > > > then run some stuff like this (after installing
ansible on
> > > > > > your
> > > > > > desktop/bastion host)
> > > > > >
> > > > > > ansible -b -m raw -a '/usr/bin/env
ASSUME_ALWAYS_YES=1
> > > > > > http_proxy> > > > > >
http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root
> > > > > > -i
> > > > > > <host_list_file> -kS --ask-su-pass
> > > > > >
> > > > > > ansible -b -m raw -a 'env
ASSUME_ALWAYS_YES=YES
> > > > > > http_proxy> > > > > >
http://127.0.0.1:31280 pkg install python' -u root -i
> > > <host_list_file>
> > > > > > -kS --ask-su-pass
> > > > > >
> > > > > > ansible -m shell -a "ntpdate
<good_ntp_server_ip>" -kS
> > > --ask-su-pass -i
> > > > > > <host_list_file>
> > > > > >
> > > > > > from here on you should be able to start unbound
and then
> > > > > > ntpd eg
> > > > > >
> > > > > > ansible -m service -a "name=local_unbound
state=restarted"
> > > > > > -kS --ask-su-pass -i <host_list_file>
> > > > > > ansible -m service -a "name=ntpd
state=restarted" -kS
> > > --ask-su-pass -i
> > > > > > <host_list_file
> > > > > >
> > > > > > Alternatively you could just relax your dnssec
rules on
> > > > > > first boot
> > > to
> > > > > give
> > > > > > ntp a chance. Probably much easier 8)
> > > > >
> > > > > How I am do it? I am don't touch dnssec rules and
don't know
> > > > > unbound.
> > > > > May be this is posible by startup scripts?
> > > > > Also, some platforms lack of CMOS time, RPi, for
example.
> > > > >
> > > > > > Also make sure you are using the '-g' flag
on ntpd
> > > > >
> > > > > Yes, I am add `ntpd_sync_on_start=yes` to rc.conf.
> > > > > I am suggest do it by checkbox in bsdinstall.
> > > > >
> > > > >
> > > > > > On 6 June 2016 at 14:50, Slawa Olhovchenkov
<slw at zxy.spb.ru
> > > > > > > wrote:
> > > > > >
> > > > > > > On Mon, Jun 06, 2016 at 09:33:02AM -0400,
Lowell Gilbert
> > > > > > > wrote:
> > > > > > >
> > > > > > > > Slawa Olhovchenkov <slw at
zxy.spb.ru> writes:
> > > > > > > >
> > > > > > > > > On Fri, Jun 03, 2016 at 02:34:18PM
-0400, Lowell
> > > > > > > > > Gilbert
> > > wrote:
> > > > > > > > >
> > > > > > > > > > Slawa Olhovchenkov <slw at
zxy.spb.ru> writes:
> > > > > > > > > >
> > > > > > > > > > > Default install with
local_unbound and ntpd can't
> > > > > > > > > > > be
> > > functional
> > > > > with
> > > > > > > > > > > incorrect date/time in
BIOS:
> > > > > > > > > > >
> > > > > > > > > > > Unbound requred correct
time for DNSSEC check and
> > > > > > > > > > > refuseing
> > > > > queries
> > > > > > > > > > > ("Jul 1 20:17:29
yellowrat unbound: [3444:0]
> > > > > > > > > > > info: failed
> > > to
> > > > > prime
> > > > > > > > > > > trust anchor -- DNSKEY
rrset is not secure .
> > > > > > > > > > > DNSKEY IN")
> > > > > > > > > > >
> > > > > > > > > > > ntpd don't have any
numeric IP of ntp servers in
> > > > > > > > > > > ntp.conf
> > > --
> > > > > only
> > > > > > > > > > > symbolic names like
0.freebsd.pool.ntp.org, as
> > > > > > > > > > > result --
> > > can't
> > > > > > > > > > > resolve (see above, about
DNSKEY).
> > > > > > > > > >
> > > > > > > > > > I can't see how this would
happen. DNSSEC doesn't
> > > > > > > > > > seem to be
> > > > > required
> > > > > > > in
> > > > > > > > > > a regular install as far as I
can see. Certainly I
> > > > > > > > > > don't
> > > have any
> > > > > > > > >
> > > > > > > > > I don't know reasson for
enforcing DNSSEC in regular
> > > > > > > > > install.
> > > > > > > > > I am just select `local_unbound` at
setup time and
> > > > > > > > > enter
> > > > > `127.0.0.1` as
> > > > > > > > > nameserver address.
> > > > > > > >
> > > > > > > > That's not enough to configure
unbound as a fully
> > > > > > > > recursive DNS
> > > > > > > > server.
> > > > > > >
> > > > > > > What I am missing?
> > > > > > > Need to fix unbound setup scripts? bsdinstall
scripts?
> > > > > > > As I see unbound setup scripts detects
127.0.0.1 in
> > > > > > > resolv.conf
> > > and
> > > > > > > configured unbound as fully recursive DNS
server.
> > > > > > >
> > > > > > > > If your system gets its address through
DHCP, it is
> > > > > > > > probably
> > > > > > > > getting DNS server addresses as well,
and would work
> > > > > > > > fine
> > > *without*
> > > > > your
> > > > > > > > configuring any of the DNS state.
> > > > > > >
> > > > > > > I am have static address and don't
getting DNS server
> > > > > > > address.
> > > > > > >
> > > > > > > > > > problem on any of my systems,
and I've never
> > > > > > > > > > configured an
> > > anchor
> > > > > on
> > > > > > > the
> > > > > > > > > > internal systems.
> > > > > > > > > >
> > > > > > > > > > > IMHO, ntp.conf need to
include some numeric IP of
> > > > > > > > > > > public
> > > ntp
> > > > > > > servers.
> > > > > > > > > >
> > > > > > > > > > Ouch; that's a terrible
idea, for several different
> > > > > > > > > > reasons.
> > > > > > > > >
> > > > > > > > > What else?
> > > > > > > >
> > > > > > > > All the normal reasons that hard-coding
IP addresses is
> > > > > > > > a bad
> > > idea;
> > > > > they
> > > > > > > > can change, you're encouraging a lot
of people to use
> > > > > > > > the same
> > > ones,
> > > > > etc.
> > > > > > >
> > > > > > > And how to resolve this issuse:
> > > > > > >
> > > > > > > - default install with unbound as recursive
DNS server
> > > > > > > (by default
> > > > > > > enforcing DNSSEC)
> > > > > > > - ntp time synchronisation
> > > > > > > - stale CMOS time (2008 year)
> > > > > > >
_______________________________________________
> > > > > > > freebsd-stable at freebsd.org mailing list
> > > > > > >
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > > > > > > To unsubscribe, send any mail to "
> > > > > freebsd-stable-unsubscribe at freebsd.org"
> > > > > > >
> > > > >
> > >
> >
> >
> _______________________________________________
> freebsd-stable at freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "
> freebsd-stable-unsubscribe at freebsd.org"