On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote:
> Like i said you could configure ntpdate as well as ntpd, but give it a
> known good ip. It will only run once at boot, and ntpd will start after so
> that can use the nice pool names.
>
> A slightly better way maybe to give ntpdate a server hostname like
> ntp-server and populated the hosts file with one of the ips from
> pool.ntp.org. You could then have a periodic script to check and update the
> ip in the hosts every day, so it works over a reboot. The ip would
> obviously have to have an initial seed value, but you could work this out
> progmatically at system configuration time with tools like ansible.
What purpose don't do it by standart scripts from base systems?
Enforcing DNSSEC must be prevent this strange works on all systems
lack CMOS time.
I am not expert in sh scripting for this automation.
> On 7 June 2016 at 09:47, Slawa Olhovchenkov <slw at zxy.spb.ru>
wrote:
>
> > On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote:
> >
> > > Well there is a deadlock situation there so you have to relax one
of the
> > > conditions, for one time at least.
> > >
> > > Your best bet is to do a manual ntpdate against a fixed ip of
known
> > > goodness. If you have a lot of machines you need to do this on,
use
> > ansible
> > > or similar to do the heavy lifting for you. Ansible is best in my
opinion
> > > if you dont have anything setup as its quick to get going. It
does
> > require
> > > python on the target machines so you would need to install that
first.
> > > Something like the following should get it working (as you dont
have dns
> > on
> > > the target machine, package fetches wont work, so i would tunnel
a squid
> > > proxy and let that handle all the internet stuff.
> > >
> > > add something like the following to your ssh_config
> > >
> > > Host *
> > > RemoteForward 31280 squid_server:3128
> > >
> > > then run some stuff like this (after installing ansible on your
> > > desktop/bastion host)
> > >
> > > ansible -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1
http_proxy> > > http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f'
-u root -i
> > > <host_list_file> -kS --ask-su-pass
> > >
> > > ansible -b -m raw -a 'env ASSUME_ALWAYS_YES=YES
http_proxy> > > http://127.0.0.1:31280 pkg install python' -u root
-i <host_list_file>
> > > -kS --ask-su-pass
> > >
> > > ansible -m shell -a "ntpdate
<good_ntp_server_ip>" -kS --ask-su-pass -i
> > > <host_list_file>
> > >
> > > from here on you should be able to start unbound and then ntpd eg
> > >
> > > ansible -m service -a "name=local_unbound
state=restarted"
> > > -kS --ask-su-pass -i <host_list_file>
> > > ansible -m service -a "name=ntpd state=restarted" -kS
--ask-su-pass -i
> > > <host_list_file
> > >
> > > Alternatively you could just relax your dnssec rules on first
boot to
> > give
> > > ntp a chance. Probably much easier 8)
> >
> > How I am do it? I am don't touch dnssec rules and don't know
unbound.
> > May be this is posible by startup scripts?
> > Also, some platforms lack of CMOS time, RPi, for example.
> >
> > > Also make sure you are using the '-g' flag on ntpd
> >
> > Yes, I am add `ntpd_sync_on_start=yes` to rc.conf.
> > I am suggest do it by checkbox in bsdinstall.
> >
> >
> > > On 6 June 2016 at 14:50, Slawa Olhovchenkov <slw at
zxy.spb.ru> wrote:
> > >
> > > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert
wrote:
> > > >
> > > > > Slawa Olhovchenkov <slw at zxy.spb.ru> writes:
> > > > >
> > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell
Gilbert wrote:
> > > > > >
> > > > > >> Slawa Olhovchenkov <slw at zxy.spb.ru>
writes:
> > > > > >>
> > > > > >> > Default install with local_unbound and
ntpd can't be functional
> > with
> > > > > >> > incorrect date/time in BIOS:
> > > > > >> >
> > > > > >> > Unbound requred correct time for DNSSEC
check and refuseing
> > queries
> > > > > >> > ("Jul 1 20:17:29 yellowrat unbound:
[3444:0] info: failed to
> > prime
> > > > > >> > trust anchor -- DNSKEY rrset is not
secure . DNSKEY IN")
> > > > > >> >
> > > > > >> > ntpd don't have any numeric IP of ntp
servers in ntp.conf --
> > only
> > > > > >> > symbolic names like
0.freebsd.pool.ntp.org, as result -- can't
> > > > > >> > resolve (see above, about DNSKEY).
> > > > > >>
> > > > > >> I can't see how this would happen. DNSSEC
doesn't seem to be
> > required
> > > > in
> > > > > >> a regular install as far as I can see.
Certainly I don't have any
> > > > > >
> > > > > > I don't know reasson for enforcing DNSSEC in
regular install.
> > > > > > I am just select `local_unbound` at setup time and
enter
> > `127.0.0.1` as
> > > > > > nameserver address.
> > > > >
> > > > > That's not enough to configure unbound as a fully
recursive DNS
> > > > > server.
> > > >
> > > > What I am missing?
> > > > Need to fix unbound setup scripts? bsdinstall scripts?
> > > > As I see unbound setup scripts detects 127.0.0.1 in
resolv.conf and
> > > > configured unbound as fully recursive DNS server.
> > > >
> > > > > If your system gets its address through DHCP, it is
probably
> > > > > getting DNS server addresses as well, and would work
fine *without*
> > your
> > > > > configuring any of the DNS state.
> > > >
> > > > I am have static address and don't getting DNS server
address.
> > > >
> > > > > >> problem on any of my systems, and I've
never configured an anchor
> > on
> > > > the
> > > > > >> internal systems.
> > > > > >>
> > > > > >> > IMHO, ntp.conf need to include some
numeric IP of public ntp
> > > > servers.
> > > > > >>
> > > > > >> Ouch; that's a terrible idea, for several
different reasons.
> > > > > >
> > > > > > What else?
> > > > >
> > > > > All the normal reasons that hard-coding IP addresses is
a bad idea;
> > they
> > > > > can change, you're encouraging a lot of people to
use the same ones,
> > etc.
> > > >
> > > > And how to resolve this issuse:
> > > >
> > > > - default install with unbound as recursive DNS server (by
default
> > > > enforcing DNSSEC)
> > > > - ntp time synchronisation
> > > > - stale CMOS time (2008 year)
> > > > _______________________________________________
> > > > freebsd-stable at freebsd.org mailing list
> > > > https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > > > To unsubscribe, send any mail to "
> > freebsd-stable-unsubscribe at freebsd.org"
> > > >
> >