On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote:
> Well there is a deadlock situation there so you have to relax one of the
> conditions, for one time at least.
>
> Your best bet is to do a manual ntpdate against a fixed ip of known
> goodness. If you have a lot of machines you need to do this on, use ansible
> or similar to do the heavy lifting for you. Ansible is best in my opinion
> if you dont have anything setup as its quick to get going. It does require
> python on the target machines so you would need to install that first.
> Something like the following should get it working (as you dont have dns on
> the target machine, package fetches wont work, so i would tunnel a squid
> proxy and let that handle all the internet stuff.
>
> add something like the following to your ssh_config
>
> Host *
> RemoteForward 31280 squid_server:3128
>
> then run some stuff like this (after installing ansible on your
> desktop/bastion host)
>
> ansible -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy>
http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i
> <host_list_file> -kS --ask-su-pass
>
> ansible -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy>
http://127.0.0.1:31280 pkg install python' -u root -i <host_list_file>
> -kS --ask-su-pass
>
> ansible -m shell -a "ntpdate <good_ntp_server_ip>" -kS
--ask-su-pass -i
> <host_list_file>
>
> from here on you should be able to start unbound and then ntpd eg
>
> ansible -m service -a "name=local_unbound state=restarted"
> -kS --ask-su-pass -i <host_list_file>
> ansible -m service -a "name=ntpd state=restarted" -kS
--ask-su-pass -i
> <host_list_file
>
> Alternatively you could just relax your dnssec rules on first boot to give
> ntp a chance. Probably much easier 8)
How I am do it? I am don't touch dnssec rules and don't know unbound.
May be this is posible by startup scripts?
Also, some platforms lack of CMOS time, RPi, for example.
> Also make sure you are using the '-g' flag on ntpd
Yes, I am add `ntpd_sync_on_start=yes` to rc.conf.
I am suggest do it by checkbox in bsdinstall.
> On 6 June 2016 at 14:50, Slawa Olhovchenkov <slw at zxy.spb.ru>
wrote:
>
> > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote:
> >
> > > Slawa Olhovchenkov <slw at zxy.spb.ru> writes:
> > >
> > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert
wrote:
> > > >
> > > >> Slawa Olhovchenkov <slw at zxy.spb.ru> writes:
> > > >>
> > > >> > Default install with local_unbound and ntpd
can't be functional with
> > > >> > incorrect date/time in BIOS:
> > > >> >
> > > >> > Unbound requred correct time for DNSSEC check and
refuseing queries
> > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0]
info: failed to prime
> > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY
IN")
> > > >> >
> > > >> > ntpd don't have any numeric IP of ntp servers
in ntp.conf -- only
> > > >> > symbolic names like 0.freebsd.pool.ntp.org, as
result -- can't
> > > >> > resolve (see above, about DNSKEY).
> > > >>
> > > >> I can't see how this would happen. DNSSEC
doesn't seem to be required
> > in
> > > >> a regular install as far as I can see. Certainly I
don't have any
> > > >
> > > > I don't know reasson for enforcing DNSSEC in regular
install.
> > > > I am just select `local_unbound` at setup time and enter
`127.0.0.1` as
> > > > nameserver address.
> > >
> > > That's not enough to configure unbound as a fully recursive
DNS
> > > server.
> >
> > What I am missing?
> > Need to fix unbound setup scripts? bsdinstall scripts?
> > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and
> > configured unbound as fully recursive DNS server.
> >
> > > If your system gets its address through DHCP, it is probably
> > > getting DNS server addresses as well, and would work fine
*without* your
> > > configuring any of the DNS state.
> >
> > I am have static address and don't getting DNS server address.
> >
> > > >> problem on any of my systems, and I've never
configured an anchor on
> > the
> > > >> internal systems.
> > > >>
> > > >> > IMHO, ntp.conf need to include some numeric IP of
public ntp
> > servers.
> > > >>
> > > >> Ouch; that's a terrible idea, for several different
reasons.
> > > >
> > > > What else?
> > >
> > > All the normal reasons that hard-coding IP addresses is a bad
idea; they
> > > can change, you're encouraging a lot of people to use the
same ones, etc.
> >
> > And how to resolve this issuse:
> >
> > - default install with unbound as recursive DNS server (by default
> > enforcing DNSSEC)
> > - ntp time synchronisation
> > - stale CMOS time (2008 year)
> > _______________________________________________
> > freebsd-stable at freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > To unsubscribe, send any mail to "freebsd-stable-unsubscribe at
freebsd.org"
> >