Like i said you could configure ntpdate as well as ntpd, but give it a
known good ip. It will only run once at boot, and ntpd will start after so
that can use the nice pool names.
A slightly better way maybe to give ntpdate a server hostname like
ntp-server and populated the hosts file with one of the ips from
pool.ntp.org. You could then have a periodic script to check and update the
ip in the hosts every day, so it works over a reboot. The ip would
obviously have to have an initial seed value, but you could work this out
progmatically at system configuration time with tools like ansible.
On 7 June 2016 at 09:47, Slawa Olhovchenkov <slw at zxy.spb.ru> wrote:
> On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote:
>
> > Well there is a deadlock situation there so you have to relax one of
the
> > conditions, for one time at least.
> >
> > Your best bet is to do a manual ntpdate against a fixed ip of known
> > goodness. If you have a lot of machines you need to do this on, use
> ansible
> > or similar to do the heavy lifting for you. Ansible is best in my
opinion
> > if you dont have anything setup as its quick to get going. It does
> require
> > python on the target machines so you would need to install that first.
> > Something like the following should get it working (as you dont have
dns
> on
> > the target machine, package fetches wont work, so i would tunnel a
squid
> > proxy and let that handle all the internet stuff.
> >
> > add something like the following to your ssh_config
> >
> > Host *
> > RemoteForward 31280 squid_server:3128
> >
> > then run some stuff like this (after installing ansible on your
> > desktop/bastion host)
> >
> > ansible -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1
http_proxy> > http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u
root -i
> > <host_list_file> -kS --ask-su-pass
> >
> > ansible -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy>
> http://127.0.0.1:31280 pkg install python' -u root -i
<host_list_file>
> > -kS --ask-su-pass
> >
> > ansible -m shell -a "ntpdate <good_ntp_server_ip>"
-kS --ask-su-pass -i
> > <host_list_file>
> >
> > from here on you should be able to start unbound and then ntpd eg
> >
> > ansible -m service -a "name=local_unbound state=restarted"
> > -kS --ask-su-pass -i <host_list_file>
> > ansible -m service -a "name=ntpd state=restarted" -kS
--ask-su-pass -i
> > <host_list_file
> >
> > Alternatively you could just relax your dnssec rules on first boot to
> give
> > ntp a chance. Probably much easier 8)
>
> How I am do it? I am don't touch dnssec rules and don't know
unbound.
> May be this is posible by startup scripts?
> Also, some platforms lack of CMOS time, RPi, for example.
>
> > Also make sure you are using the '-g' flag on ntpd
>
> Yes, I am add `ntpd_sync_on_start=yes` to rc.conf.
> I am suggest do it by checkbox in bsdinstall.
>
>
> > On 6 June 2016 at 14:50, Slawa Olhovchenkov <slw at zxy.spb.ru>
wrote:
> >
> > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote:
> > >
> > > > Slawa Olhovchenkov <slw at zxy.spb.ru> writes:
> > > >
> > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell
Gilbert wrote:
> > > > >
> > > > >> Slawa Olhovchenkov <slw at zxy.spb.ru>
writes:
> > > > >>
> > > > >> > Default install with local_unbound and ntpd
can't be functional
> with
> > > > >> > incorrect date/time in BIOS:
> > > > >> >
> > > > >> > Unbound requred correct time for DNSSEC check
and refuseing
> queries
> > > > >> > ("Jul 1 20:17:29 yellowrat unbound:
[3444:0] info: failed to
> prime
> > > > >> > trust anchor -- DNSKEY rrset is not secure .
DNSKEY IN")
> > > > >> >
> > > > >> > ntpd don't have any numeric IP of ntp
servers in ntp.conf --
> only
> > > > >> > symbolic names like 0.freebsd.pool.ntp.org, as
result -- can't
> > > > >> > resolve (see above, about DNSKEY).
> > > > >>
> > > > >> I can't see how this would happen. DNSSEC
doesn't seem to be
> required
> > > in
> > > > >> a regular install as far as I can see. Certainly I
don't have any
> > > > >
> > > > > I don't know reasson for enforcing DNSSEC in
regular install.
> > > > > I am just select `local_unbound` at setup time and
enter
> `127.0.0.1` as
> > > > > nameserver address.
> > > >
> > > > That's not enough to configure unbound as a fully
recursive DNS
> > > > server.
> > >
> > > What I am missing?
> > > Need to fix unbound setup scripts? bsdinstall scripts?
> > > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf
and
> > > configured unbound as fully recursive DNS server.
> > >
> > > > If your system gets its address through DHCP, it is probably
> > > > getting DNS server addresses as well, and would work fine
*without*
> your
> > > > configuring any of the DNS state.
> > >
> > > I am have static address and don't getting DNS server
address.
> > >
> > > > >> problem on any of my systems, and I've never
configured an anchor
> on
> > > the
> > > > >> internal systems.
> > > > >>
> > > > >> > IMHO, ntp.conf need to include some numeric IP
of public ntp
> > > servers.
> > > > >>
> > > > >> Ouch; that's a terrible idea, for several
different reasons.
> > > > >
> > > > > What else?
> > > >
> > > > All the normal reasons that hard-coding IP addresses is a
bad idea;
> they
> > > > can change, you're encouraging a lot of people to use
the same ones,
> etc.
> > >
> > > And how to resolve this issuse:
> > >
> > > - default install with unbound as recursive DNS server (by
default
> > > enforcing DNSSEC)
> > > - ntp time synchronisation
> > > - stale CMOS time (2008 year)
> > > _______________________________________________
> > > freebsd-stable at freebsd.org mailing list
> > > https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > > To unsubscribe, send any mail to "
> freebsd-stable-unsubscribe at freebsd.org"
> > >
>