On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote:> Like i said you could configure ntpdate as well as ntpd, but give it a > known good ip. It will only run once at boot, and ntpd will start after so > that can use the nice pool names. > > A slightly better way maybe to give ntpdate a server hostname like > ntp-server and populated the hosts file with one of the ips from > pool.ntp.org. You could then have a periodic script to check and update the > ip in the hosts every day, so it works over a reboot. The ip would > obviously have to have an initial seed value, but you could work this out > progmatically at system configuration time with tools like ansible.What purpose don't do it by standart scripts from base systems? Enforcing DNSSEC must be prevent this strange works on all systems lack CMOS time. I am not expert in sh scripting for this automation.> On 7 June 2016 at 09:47, Slawa Olhovchenkov <slw at zxy.spb.ru> wrote: > > > On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote: > > > > > Well there is a deadlock situation there so you have to relax one of the > > > conditions, for one time at least. > > > > > > Your best bet is to do a manual ntpdate against a fixed ip of known > > > goodness. If you have a lot of machines you need to do this on, use > > ansible > > > or similar to do the heavy lifting for you. Ansible is best in my opinion > > > if you dont have anything setup as its quick to get going. It does > > require > > > python on the target machines so you would need to install that first. > > > Something like the following should get it working (as you dont have dns > > on > > > the target machine, package fetches wont work, so i would tunnel a squid > > > proxy and let that handle all the internet stuff. > > > > > > add something like the following to your ssh_config > > > > > > Host * > > > RemoteForward 31280 squid_server:3128 > > > > > > then run some stuff like this (after installing ansible on your > > > desktop/bastion host) > > > > > > ansible -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy> > > http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i > > > <host_list_file> -kS --ask-su-pass > > > > > > ansible -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy> > > http://127.0.0.1:31280 pkg install python' -u root -i <host_list_file> > > > -kS --ask-su-pass > > > > > > ansible -m shell -a "ntpdate <good_ntp_server_ip>" -kS --ask-su-pass -i > > > <host_list_file> > > > > > > from here on you should be able to start unbound and then ntpd eg > > > > > > ansible -m service -a "name=local_unbound state=restarted" > > > -kS --ask-su-pass -i <host_list_file> > > > ansible -m service -a "name=ntpd state=restarted" -kS --ask-su-pass -i > > > <host_list_file > > > > > > Alternatively you could just relax your dnssec rules on first boot to > > give > > > ntp a chance. Probably much easier 8) > > > > How I am do it? I am don't touch dnssec rules and don't know unbound. > > May be this is posible by startup scripts? > > Also, some platforms lack of CMOS time, RPi, for example. > > > > > Also make sure you are using the '-g' flag on ntpd > > > > Yes, I am add `ntpd_sync_on_start=yes` to rc.conf. > > I am suggest do it by checkbox in bsdinstall. > > > > > > > On 6 June 2016 at 14:50, Slawa Olhovchenkov <slw at zxy.spb.ru> wrote: > > > > > > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote: > > > > > > > > > Slawa Olhovchenkov <slw at zxy.spb.ru> writes: > > > > > > > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote: > > > > > > > > > > > >> Slawa Olhovchenkov <slw at zxy.spb.ru> writes: > > > > > >> > > > > > >> > Default install with local_unbound and ntpd can't be functional > > with > > > > > >> > incorrect date/time in BIOS: > > > > > >> > > > > > > >> > Unbound requred correct time for DNSSEC check and refuseing > > queries > > > > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to > > prime > > > > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > > > > > >> > > > > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- > > only > > > > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't > > > > > >> > resolve (see above, about DNSKEY). > > > > > >> > > > > > >> I can't see how this would happen. DNSSEC doesn't seem to be > > required > > > > in > > > > > >> a regular install as far as I can see. Certainly I don't have any > > > > > > > > > > > > I don't know reasson for enforcing DNSSEC in regular install. > > > > > > I am just select `local_unbound` at setup time and enter > > `127.0.0.1` as > > > > > > nameserver address. > > > > > > > > > > That's not enough to configure unbound as a fully recursive DNS > > > > > server. > > > > > > > > What I am missing? > > > > Need to fix unbound setup scripts? bsdinstall scripts? > > > > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and > > > > configured unbound as fully recursive DNS server. > > > > > > > > > If your system gets its address through DHCP, it is probably > > > > > getting DNS server addresses as well, and would work fine *without* > > your > > > > > configuring any of the DNS state. > > > > > > > > I am have static address and don't getting DNS server address. > > > > > > > > > >> problem on any of my systems, and I've never configured an anchor > > on > > > > the > > > > > >> internal systems. > > > > > >> > > > > > >> > IMHO, ntp.conf need to include some numeric IP of public ntp > > > > servers. > > > > > >> > > > > > >> Ouch; that's a terrible idea, for several different reasons. > > > > > > > > > > > > What else? > > > > > > > > > > All the normal reasons that hard-coding IP addresses is a bad idea; > > they > > > > > can change, you're encouraging a lot of people to use the same ones, > > etc. > > > > > > > > And how to resolve this issuse: > > > > > > > > - default install with unbound as recursive DNS server (by default > > > > enforcing DNSSEC) > > > > - ntp time synchronisation > > > > - stale CMOS time (2008 year) > > > > _______________________________________________ > > > > freebsd-stable at freebsd.org mailing list > > > > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > > > > To unsubscribe, send any mail to " > > freebsd-stable-unsubscribe at freebsd.org" > > > > > >
something as simple as this thrown in /etc/periodic/daily/ would probably do it. #!/bin/sh ip=`dig pool.ntp.org +short | head -1' cp /etc/hosts /etc/hosts.old && sed -e "s/.*ntp-server/$ip ntp-server/" /etc/hosts.old > /etc/hosts with these lines in rc.conf ntpdate_enable=yes ntpdate_servers="ntp-server" On 7 June 2016 at 11:43, Slawa Olhovchenkov <slw at zxy.spb.ru> wrote:> On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote: > > > Like i said you could configure ntpdate as well as ntpd, but give it a > > known good ip. It will only run once at boot, and ntpd will start after > so > > that can use the nice pool names. > > > > A slightly better way maybe to give ntpdate a server hostname like > > ntp-server and populated the hosts file with one of the ips from > > pool.ntp.org. You could then have a periodic script to check and update > the > > ip in the hosts every day, so it works over a reboot. The ip would > > obviously have to have an initial seed value, but you could work this out > > progmatically at system configuration time with tools like ansible. > > What purpose don't do it by standart scripts from base systems? > Enforcing DNSSEC must be prevent this strange works on all systems > lack CMOS time. > > I am not expert in sh scripting for this automation. > > > On 7 June 2016 at 09:47, Slawa Olhovchenkov <slw at zxy.spb.ru> wrote: > > > > > On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote: > > > > > > > Well there is a deadlock situation there so you have to relax one of > the > > > > conditions, for one time at least. > > > > > > > > Your best bet is to do a manual ntpdate against a fixed ip of known > > > > goodness. If you have a lot of machines you need to do this on, use > > > ansible > > > > or similar to do the heavy lifting for you. Ansible is best in my > opinion > > > > if you dont have anything setup as its quick to get going. It does > > > require > > > > python on the target machines so you would need to install that > first. > > > > Something like the following should get it working (as you dont have > dns > > > on > > > > the target machine, package fetches wont work, so i would tunnel a > squid > > > > proxy and let that handle all the internet stuff. > > > > > > > > add something like the following to your ssh_config > > > > > > > > Host * > > > > RemoteForward 31280 squid_server:3128 > > > > > > > > then run some stuff like this (after installing ansible on your > > > > desktop/bastion host) > > > > > > > > ansible -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy> > > > http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i > > > > <host_list_file> -kS --ask-su-pass > > > > > > > > ansible -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy> > > > http://127.0.0.1:31280 pkg install python' -u root -i > <host_list_file> > > > > -kS --ask-su-pass > > > > > > > > ansible -m shell -a "ntpdate <good_ntp_server_ip>" -kS > --ask-su-pass -i > > > > <host_list_file> > > > > > > > > from here on you should be able to start unbound and then ntpd eg > > > > > > > > ansible -m service -a "name=local_unbound state=restarted" > > > > -kS --ask-su-pass -i <host_list_file> > > > > ansible -m service -a "name=ntpd state=restarted" -kS --ask-su-pass > -i > > > > <host_list_file > > > > > > > > Alternatively you could just relax your dnssec rules on first boot to > > > give > > > > ntp a chance. Probably much easier 8) > > > > > > How I am do it? I am don't touch dnssec rules and don't know unbound. > > > May be this is posible by startup scripts? > > > Also, some platforms lack of CMOS time, RPi, for example. > > > > > > > Also make sure you are using the '-g' flag on ntpd > > > > > > Yes, I am add `ntpd_sync_on_start=yes` to rc.conf. > > > I am suggest do it by checkbox in bsdinstall. > > > > > > > > > > On 6 June 2016 at 14:50, Slawa Olhovchenkov <slw at zxy.spb.ru> wrote: > > > > > > > > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote: > > > > > > > > > > > Slawa Olhovchenkov <slw at zxy.spb.ru> writes: > > > > > > > > > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote: > > > > > > > > > > > > > >> Slawa Olhovchenkov <slw at zxy.spb.ru> writes: > > > > > > >> > > > > > > >> > Default install with local_unbound and ntpd can't be > functional > > > with > > > > > > >> > incorrect date/time in BIOS: > > > > > > >> > > > > > > > >> > Unbound requred correct time for DNSSEC check and refuseing > > > queries > > > > > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to > > > prime > > > > > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > > > > > > >> > > > > > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- > > > only > > > > > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- > can't > > > > > > >> > resolve (see above, about DNSKEY). > > > > > > >> > > > > > > >> I can't see how this would happen. DNSSEC doesn't seem to be > > > required > > > > > in > > > > > > >> a regular install as far as I can see. Certainly I don't have > any > > > > > > > > > > > > > > I don't know reasson for enforcing DNSSEC in regular install. > > > > > > > I am just select `local_unbound` at setup time and enter > > > `127.0.0.1` as > > > > > > > nameserver address. > > > > > > > > > > > > That's not enough to configure unbound as a fully recursive DNS > > > > > > server. > > > > > > > > > > What I am missing? > > > > > Need to fix unbound setup scripts? bsdinstall scripts? > > > > > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and > > > > > configured unbound as fully recursive DNS server. > > > > > > > > > > > If your system gets its address through DHCP, it is probably > > > > > > getting DNS server addresses as well, and would work fine > *without* > > > your > > > > > > configuring any of the DNS state. > > > > > > > > > > I am have static address and don't getting DNS server address. > > > > > > > > > > > >> problem on any of my systems, and I've never configured an > anchor > > > on > > > > > the > > > > > > >> internal systems. > > > > > > >> > > > > > > >> > IMHO, ntp.conf need to include some numeric IP of public ntp > > > > > servers. > > > > > > >> > > > > > > >> Ouch; that's a terrible idea, for several different reasons. > > > > > > > > > > > > > > What else? > > > > > > > > > > > > All the normal reasons that hard-coding IP addresses is a bad > idea; > > > they > > > > > > can change, you're encouraging a lot of people to use the same > ones, > > > etc. > > > > > > > > > > And how to resolve this issuse: > > > > > > > > > > - default install with unbound as recursive DNS server (by default > > > > > enforcing DNSSEC) > > > > > - ntp time synchronisation > > > > > - stale CMOS time (2008 year) > > > > > _______________________________________________ > > > > > freebsd-stable at freebsd.org mailing list > > > > > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > > > > > To unsubscribe, send any mail to " > > > freebsd-stable-unsubscribe at freebsd.org" > > > > > > > > >
On Tue, 07 Jun 2016 12:43:35 +0200, Slawa Olhovchenkov <slw at zxy.spb.ru> wrote:> On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote: > >> Like i said you could configure ntpdate as well as ntpd, but give it a >> known good ip. It will only run once at boot, and ntpd will start after >> so >> that can use the nice pool names. >> >> A slightly better way maybe to give ntpdate a server hostname like >> ntp-server and populated the hosts file with one of the ips from >> pool.ntp.org. You could then have a periodic script to check and update >> the >> ip in the hosts every day, so it works over a reboot. The ip would >> obviously have to have an initial seed value, but you could work this >> out >> progmatically at system configuration time with tools like ansible. > > What purpose don't do it by standart scripts from base systems? > Enforcing DNSSEC must be prevent this strange works on all systems > lack CMOS time.If the system lacks CMOS time it is hard to fix this problem. It is not only about NTP+DNSSEC, but also about the lack of timekeeping. This timekeeping problem can be solved by using a local ntp-server. That would break the deadlock of NTP+DNSSEC. Ronald.> I am not expert in sh scripting for this automation. > >> On 7 June 2016 at 09:47, Slawa Olhovchenkov <slw at zxy.spb.ru> wrote: >> >> > On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote: >> > >> > > Well there is a deadlock situation there so you have to relax one >> of the >> > > conditions, for one time at least. >> > > >> > > Your best bet is to do a manual ntpdate against a fixed ip of known >> > > goodness. If you have a lot of machines you need to do this on, use >> > ansible >> > > or similar to do the heavy lifting for you. Ansible is best in my >> opinion >> > > if you dont have anything setup as its quick to get going. It does >> > require >> > > python on the target machines so you would need to install that >> first. >> > > Something like the following should get it working (as you dont >> have dns >> > on >> > > the target machine, package fetches wont work, so i would tunnel a >> squid >> > > proxy and let that handle all the internet stuff. >> > > >> > > add something like the following to your ssh_config >> > > >> > > Host * >> > > RemoteForward 31280 squid_server:3128 >> > > >> > > then run some stuff like this (after installing ansible on your >> > > desktop/bastion host) >> > > >> > > ansible -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy>> > > http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i >> > > <host_list_file> -kS --ask-su-pass >> > > >> > > ansible -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy>> > > http://127.0.0.1:31280 pkg install python' -u root -i >> <host_list_file> >> > > -kS --ask-su-pass >> > > >> > > ansible -m shell -a "ntpdate <good_ntp_server_ip>" -kS >> --ask-su-pass -i >> > > <host_list_file> >> > > >> > > from here on you should be able to start unbound and then ntpd eg >> > > >> > > ansible -m service -a "name=local_unbound state=restarted" >> > > -kS --ask-su-pass -i <host_list_file> >> > > ansible -m service -a "name=ntpd state=restarted" -kS >> --ask-su-pass -i >> > > <host_list_file >> > > >> > > Alternatively you could just relax your dnssec rules on first boot >> to >> > give >> > > ntp a chance. Probably much easier 8) >> > >> > How I am do it? I am don't touch dnssec rules and don't know unbound. >> > May be this is posible by startup scripts? >> > Also, some platforms lack of CMOS time, RPi, for example. >> > >> > > Also make sure you are using the '-g' flag on ntpd >> > >> > Yes, I am add `ntpd_sync_on_start=yes` to rc.conf. >> > I am suggest do it by checkbox in bsdinstall. >> > >> > >> > > On 6 June 2016 at 14:50, Slawa Olhovchenkov <slw at zxy.spb.ru> wrote: >> > > >> > > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote: >> > > > >> > > > > Slawa Olhovchenkov <slw at zxy.spb.ru> writes: >> > > > > >> > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert >> wrote: >> > > > > > >> > > > > >> Slawa Olhovchenkov <slw at zxy.spb.ru> writes: >> > > > > >> >> > > > > >> > Default install with local_unbound and ntpd can't be >> functional >> > with >> > > > > >> > incorrect date/time in BIOS: >> > > > > >> > >> > > > > >> > Unbound requred correct time for DNSSEC check and refuseing >> > queries >> > > > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed >> to >> > prime >> > > > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") >> > > > > >> > >> > > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf >> -- >> > only >> > > > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- >> can't >> > > > > >> > resolve (see above, about DNSKEY). >> > > > > >> >> > > > > >> I can't see how this would happen. DNSSEC doesn't seem to be >> > required >> > > > in >> > > > > >> a regular install as far as I can see. Certainly I don't >> have any >> > > > > > >> > > > > > I don't know reasson for enforcing DNSSEC in regular install. >> > > > > > I am just select `local_unbound` at setup time and enter >> > `127.0.0.1` as >> > > > > > nameserver address. >> > > > > >> > > > > That's not enough to configure unbound as a fully recursive DNS >> > > > > server. >> > > > >> > > > What I am missing? >> > > > Need to fix unbound setup scripts? bsdinstall scripts? >> > > > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf >> and >> > > > configured unbound as fully recursive DNS server. >> > > > >> > > > > If your system gets its address through DHCP, it is probably >> > > > > getting DNS server addresses as well, and would work fine >> *without* >> > your >> > > > > configuring any of the DNS state. >> > > > >> > > > I am have static address and don't getting DNS server address. >> > > > >> > > > > >> problem on any of my systems, and I've never configured an >> anchor >> > on >> > > > the >> > > > > >> internal systems. >> > > > > >> >> > > > > >> > IMHO, ntp.conf need to include some numeric IP of public >> ntp >> > > > servers. >> > > > > >> >> > > > > >> Ouch; that's a terrible idea, for several different reasons. >> > > > > > >> > > > > > What else? >> > > > > >> > > > > All the normal reasons that hard-coding IP addresses is a bad >> idea; >> > they >> > > > > can change, you're encouraging a lot of people to use the same >> ones, >> > etc. >> > > > >> > > > And how to resolve this issuse: >> > > > >> > > > - default install with unbound as recursive DNS server (by default >> > > > enforcing DNSSEC) >> > > > - ntp time synchronisation >> > > > - stale CMOS time (2008 year) >> > > > _______________________________________________ >> > > > freebsd-stable at freebsd.org mailing list >> > > > https://lists.freebsd.org/mailman/listinfo/freebsd-stable >> > > > To unsubscribe, send any mail to " >> > freebsd-stable-unsubscribe at freebsd.org" >> > > > >> > > _______________________________________________ > freebsd-stable at freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"
On Tue, Jun 07, 2016 at 04:56:47PM +0200, Ronald Klop wrote:> On Tue, 07 Jun 2016 12:43:35 +0200, Slawa Olhovchenkov <slw at zxy.spb.ru> > wrote: > > > On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote: > > > >> Like i said you could configure ntpdate as well as ntpd, but give it a > >> known good ip. It will only run once at boot, and ntpd will start after > >> so > >> that can use the nice pool names. > >> > >> A slightly better way maybe to give ntpdate a server hostname like > >> ntp-server and populated the hosts file with one of the ips from > >> pool.ntp.org. You could then have a periodic script to check and update > >> the > >> ip in the hosts every day, so it works over a reboot. The ip would > >> obviously have to have an initial seed value, but you could work this > >> out > >> progmatically at system configuration time with tools like ansible. > > > > What purpose don't do it by standart scripts from base systems? > > Enforcing DNSSEC must be prevent this strange works on all systems > > lack CMOS time. > > > If the system lacks CMOS time it is hard to fix this problem. It is not > only about NTP+DNSSEC, but also about the lack of timekeeping. This > timekeeping problem can be solved by using a local ntp-server. That would > break the deadlock of NTP+DNSSEC.ntpd_sync_on_start=yes unbound start in relaxed mode until time sinced after ntp synced unbound switcheed to DNSSEC mode. ntp re-resolved ntp server addrees What wrong with this? Some software need modification, yes. This is price for DNSSEC enforcing. Many systems don't have CMOS by design.> > I am not expert in sh scripting for this automation. > > > >> On 7 June 2016 at 09:47, Slawa Olhovchenkov <slw at zxy.spb.ru> wrote: > >> > >> > On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote: > >> > > >> > > Well there is a deadlock situation there so you have to relax one > >> of the > >> > > conditions, for one time at least. > >> > > > >> > > Your best bet is to do a manual ntpdate against a fixed ip of known > >> > > goodness. If you have a lot of machines you need to do this on, use > >> > ansible > >> > > or similar to do the heavy lifting for you. Ansible is best in my > >> opinion > >> > > if you dont have anything setup as its quick to get going. It does > >> > require > >> > > python on the target machines so you would need to install that > >> first. > >> > > Something like the following should get it working (as you dont > >> have dns > >> > on > >> > > the target machine, package fetches wont work, so i would tunnel a > >> squid > >> > > proxy and let that handle all the internet stuff. > >> > > > >> > > add something like the following to your ssh_config > >> > > > >> > > Host * > >> > > RemoteForward 31280 squid_server:3128 > >> > > > >> > > then run some stuff like this (after installing ansible on your > >> > > desktop/bastion host) > >> > > > >> > > ansible -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy> >> > > http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i > >> > > <host_list_file> -kS --ask-su-pass > >> > > > >> > > ansible -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy> >> > > http://127.0.0.1:31280 pkg install python' -u root -i > >> <host_list_file> > >> > > -kS --ask-su-pass > >> > > > >> > > ansible -m shell -a "ntpdate <good_ntp_server_ip>" -kS > >> --ask-su-pass -i > >> > > <host_list_file> > >> > > > >> > > from here on you should be able to start unbound and then ntpd eg > >> > > > >> > > ansible -m service -a "name=local_unbound state=restarted" > >> > > -kS --ask-su-pass -i <host_list_file> > >> > > ansible -m service -a "name=ntpd state=restarted" -kS > >> --ask-su-pass -i > >> > > <host_list_file > >> > > > >> > > Alternatively you could just relax your dnssec rules on first boot > >> to > >> > give > >> > > ntp a chance. Probably much easier 8) > >> > > >> > How I am do it? I am don't touch dnssec rules and don't know unbound. > >> > May be this is posible by startup scripts? > >> > Also, some platforms lack of CMOS time, RPi, for example. > >> > > >> > > Also make sure you are using the '-g' flag on ntpd > >> > > >> > Yes, I am add `ntpd_sync_on_start=yes` to rc.conf. > >> > I am suggest do it by checkbox in bsdinstall. > >> > > >> > > >> > > On 6 June 2016 at 14:50, Slawa Olhovchenkov <slw at zxy.spb.ru> wrote: > >> > > > >> > > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote: > >> > > > > >> > > > > Slawa Olhovchenkov <slw at zxy.spb.ru> writes: > >> > > > > > >> > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert > >> wrote: > >> > > > > > > >> > > > > >> Slawa Olhovchenkov <slw at zxy.spb.ru> writes: > >> > > > > >> > >> > > > > >> > Default install with local_unbound and ntpd can't be > >> functional > >> > with > >> > > > > >> > incorrect date/time in BIOS: > >> > > > > >> > > >> > > > > >> > Unbound requred correct time for DNSSEC check and refuseing > >> > queries > >> > > > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed > >> to > >> > prime > >> > > > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > >> > > > > >> > > >> > > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf > >> -- > >> > only > >> > > > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- > >> can't > >> > > > > >> > resolve (see above, about DNSKEY). > >> > > > > >> > >> > > > > >> I can't see how this would happen. DNSSEC doesn't seem to be > >> > required > >> > > > in > >> > > > > >> a regular install as far as I can see. Certainly I don't > >> have any > >> > > > > > > >> > > > > > I don't know reasson for enforcing DNSSEC in regular install. > >> > > > > > I am just select `local_unbound` at setup time and enter > >> > `127.0.0.1` as > >> > > > > > nameserver address. > >> > > > > > >> > > > > That's not enough to configure unbound as a fully recursive DNS > >> > > > > server. > >> > > > > >> > > > What I am missing? > >> > > > Need to fix unbound setup scripts? bsdinstall scripts? > >> > > > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf > >> and > >> > > > configured unbound as fully recursive DNS server. > >> > > > > >> > > > > If your system gets its address through DHCP, it is probably > >> > > > > getting DNS server addresses as well, and would work fine > >> *without* > >> > your > >> > > > > configuring any of the DNS state. > >> > > > > >> > > > I am have static address and don't getting DNS server address. > >> > > > > >> > > > > >> problem on any of my systems, and I've never configured an > >> anchor > >> > on > >> > > > the > >> > > > > >> internal systems. > >> > > > > >> > >> > > > > >> > IMHO, ntp.conf need to include some numeric IP of public > >> ntp > >> > > > servers. > >> > > > > >> > >> > > > > >> Ouch; that's a terrible idea, for several different reasons. > >> > > > > > > >> > > > > > What else? > >> > > > > > >> > > > > All the normal reasons that hard-coding IP addresses is a bad > >> idea; > >> > they > >> > > > > can change, you're encouraging a lot of people to use the same > >> ones, > >> > etc. > >> > > > > >> > > > And how to resolve this issuse: > >> > > > > >> > > > - default install with unbound as recursive DNS server (by default > >> > > > enforcing DNSSEC) > >> > > > - ntp time synchronisation > >> > > > - stale CMOS time (2008 year) > >> > > > _______________________________________________ > >> > > > freebsd-stable at freebsd.org mailing list > >> > > > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > >> > > > To unsubscribe, send any mail to " > >> > freebsd-stable-unsubscribe at freebsd.org" > >> > > > > >> > > > _______________________________________________ > > freebsd-stable at freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > > To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org"