On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote:> Slawa Olhovchenkov <slw at zxy.spb.ru> writes: > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote: > > > >> Slawa Olhovchenkov <slw at zxy.spb.ru> writes: > >> > >> > Default install with local_unbound and ntpd can't be functional with > >> > incorrect date/time in BIOS: > >> > > >> > Unbound requred correct time for DNSSEC check and refuseing queries > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > >> > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't > >> > resolve (see above, about DNSKEY). > >> > >> I can't see how this would happen. DNSSEC doesn't seem to be required in > >> a regular install as far as I can see. Certainly I don't have any > > > > I don't know reasson for enforcing DNSSEC in regular install. > > I am just select `local_unbound` at setup time and enter `127.0.0.1` as > > nameserver address. > > That's not enough to configure unbound as a fully recursive DNS > server.What I am missing? Need to fix unbound setup scripts? bsdinstall scripts? As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and configured unbound as fully recursive DNS server.> If your system gets its address through DHCP, it is probably > getting DNS server addresses as well, and would work fine *without* your > configuring any of the DNS state.I am have static address and don't getting DNS server address.> >> problem on any of my systems, and I've never configured an anchor on the > >> internal systems. > >> > >> > IMHO, ntp.conf need to include some numeric IP of public ntp servers. > >> > >> Ouch; that's a terrible idea, for several different reasons. > > > > What else? > > All the normal reasons that hard-coding IP addresses is a bad idea; they > can change, you're encouraging a lot of people to use the same ones, etc.And how to resolve this issuse: - default install with unbound as recursive DNS server (by default enforcing DNSSEC) - ntp time synchronisation - stale CMOS time (2008 year)
Well there is a deadlock situation there so you have to relax one of the conditions, for one time at least. Your best bet is to do a manual ntpdate against a fixed ip of known goodness. If you have a lot of machines you need to do this on, use ansible or similar to do the heavy lifting for you. Ansible is best in my opinion if you dont have anything setup as its quick to get going. It does require python on the target machines so you would need to install that first. Something like the following should get it working (as you dont have dns on the target machine, package fetches wont work, so i would tunnel a squid proxy and let that handle all the internet stuff. add something like the following to your ssh_config Host * RemoteForward 31280 squid_server:3128 then run some stuff like this (after installing ansible on your desktop/bastion host) ansible -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxyhttp://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i <host_list_file> -kS --ask-su-pass ansible -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxyhttp://127.0.0.1:31280 pkg install python' -u root -i <host_list_file> -kS --ask-su-pass ansible -m shell -a "ntpdate <good_ntp_server_ip>" -kS --ask-su-pass -i <host_list_file> from here on you should be able to start unbound and then ntpd eg ansible -m service -a "name=local_unbound state=restarted" -kS --ask-su-pass -i <host_list_file> ansible -m service -a "name=ntpd state=restarted" -kS --ask-su-pass -i <host_list_file Alternatively you could just relax your dnssec rules on first boot to give ntp a chance. Probably much easier 8) Also make sure you are using the '-g' flag on ntpd On 6 June 2016 at 14:50, Slawa Olhovchenkov <slw at zxy.spb.ru> wrote:> On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote: > > > Slawa Olhovchenkov <slw at zxy.spb.ru> writes: > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote: > > > > > >> Slawa Olhovchenkov <slw at zxy.spb.ru> writes: > > >> > > >> > Default install with local_unbound and ntpd can't be functional with > > >> > incorrect date/time in BIOS: > > >> > > > >> > Unbound requred correct time for DNSSEC check and refuseing queries > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > > >> > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't > > >> > resolve (see above, about DNSKEY). > > >> > > >> I can't see how this would happen. DNSSEC doesn't seem to be required > in > > >> a regular install as far as I can see. Certainly I don't have any > > > > > > I don't know reasson for enforcing DNSSEC in regular install. > > > I am just select `local_unbound` at setup time and enter `127.0.0.1` as > > > nameserver address. > > > > That's not enough to configure unbound as a fully recursive DNS > > server. > > What I am missing? > Need to fix unbound setup scripts? bsdinstall scripts? > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and > configured unbound as fully recursive DNS server. > > > If your system gets its address through DHCP, it is probably > > getting DNS server addresses as well, and would work fine *without* your > > configuring any of the DNS state. > > I am have static address and don't getting DNS server address. > > > >> problem on any of my systems, and I've never configured an anchor on > the > > >> internal systems. > > >> > > >> > IMHO, ntp.conf need to include some numeric IP of public ntp > servers. > > >> > > >> Ouch; that's a terrible idea, for several different reasons. > > > > > > What else? > > > > All the normal reasons that hard-coding IP addresses is a bad idea; they > > can change, you're encouraging a lot of people to use the same ones, etc. > > And how to resolve this issuse: > > - default install with unbound as recursive DNS server (by default > enforcing DNSSEC) > - ntp time synchronisation > - stale CMOS time (2008 year) > _______________________________________________ > freebsd-stable at freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe at freebsd.org" >
I'm playing catchup on my INBOX, so apologies in advance, if this has already been satisfactorily answered... On Mon, 6 Jun 2016 16:50:18 +0300 Slawa Olhovchenkov <slw at zxy.spb.ru> wrote> On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote: > > > Slawa Olhovchenkov <slw at zxy.spb.ru> writes: > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote: > > > > > >> Slawa Olhovchenkov <slw at zxy.spb.ru> writes: > > >> > > >> > Default install with local_unbound and ntpd can't be functional with > > >> > incorrect date/time in BIOS: > > >> > > > >> > Unbound requred correct time for DNSSEC check and refuseing queries > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > > >> > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't > > >> > resolve (see above, about DNSKEY). > > >> > > >> I can't see how this would happen. DNSSEC doesn't seem to be required in > > >> a regular install as far as I can see. Certainly I don't have any > > > > > > I don't know reasson for enforcing DNSSEC in regular install. > > > I am just select 'local_unbound' at setup time and enter '127.0.0.1' as > > > nameserver address. > > > > That's not enough to configure unbound as a fully recursive DNS > > server. > > What I am missing? > Need to fix unbound setup scripts? bsdinstall scripts? > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and > configured unbound as fully recursive DNS server.May I suggest ntpdate(8)? Find a reliable time server in your region, and once found add it *early* in your rc.conf(5). Well, ahead of your unbound stanza. ie; hostname="..." ifconfig_re0="inet ... netmask ..." defaultrouter="..." ntpdate_enable="YES" ntpdate_hosts="a reliable regional time server" .. unbound_enable="YES" .. ALSO. Since you're upstream will, in all likelihood have informed you of a preferred set of 2 name servers. Place one of them in your hosts(5) file. This will help ensure that ntpdate(8) can reliably discover your regional time server. That should get you where you want to go. :-) --Chris> > > If your system gets its address through DHCP, it is probably > > getting DNS server addresses as well, and would work fine *without* your > > configuring any of the DNS state. > > I am have static address and don't getting DNS server address. > > > >> problem on any of my systems, and I've never configured an anchor on the > > >> internal systems. > > >> > > >> > IMHO, ntp.conf need to include some numeric IP of public ntp servers. > > >> > > >> Ouch; that's a terrible idea, for several different reasons. > > > > > > What else? > > > > All the normal reasons that hard-coding IP addresses is a bad idea; they > > can change, you're encouraging a lot of people to use the same ones, etc. > > And how to resolve this issuse: > > - default install with unbound as recursive DNS server (by default > enforcing DNSSEC) > - ntp time synchronisation > - stale CMOS time (2008 year)
On Tue, Jun 14, 2016 at 07:55:34AM -0700, Chris H wrote:> I'm playing catchup on my INBOX, so apologies in advance, if this has > already been satisfactorily answered...Main question not about how I am can resolve my current issuse. Main question about deadloop after setup.> On Mon, 6 Jun 2016 16:50:18 +0300 Slawa Olhovchenkov <slw at zxy.spb.ru> wrote > > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote: > > > > > Slawa Olhovchenkov <slw at zxy.spb.ru> writes: > > > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote: > > > > > > > >> Slawa Olhovchenkov <slw at zxy.spb.ru> writes: > > > >> > > > >> > Default install with local_unbound and ntpd can't be functional with > > > >> > incorrect date/time in BIOS: > > > >> > > > > >> > Unbound requred correct time for DNSSEC check and refuseing queries > > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime > > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > > > >> > > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only > > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't > > > >> > resolve (see above, about DNSKEY). > > > >> > > > >> I can't see how this would happen. DNSSEC doesn't seem to be required in > > > >> a regular install as far as I can see. Certainly I don't have any > > > > > > > > I don't know reasson for enforcing DNSSEC in regular install. > > > > I am just select 'local_unbound' at setup time and enter '127.0.0.1' as > > > > nameserver address. > > > > > > That's not enough to configure unbound as a fully recursive DNS > > > server. > > > > What I am missing? > > Need to fix unbound setup scripts? bsdinstall scripts? > > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and > > configured unbound as fully recursive DNS server. > May I suggest ntpdate(8)? > Find a reliable time server in your region, and once found add it > *early* in your rc.conf(5). Well, ahead of your unbound stanza. ie;> hostname="..." > ifconfig_re0="inet ... netmask ..." > defaultrouter="..." > ntpdate_enable="YES" > ntpdate_hosts="a reliable regional time server"Already pointed about draw back using IP address of NTP servers.> > unbound_enable="YES" > .. > > ALSO. Since you're upstream will, in all likelihood have informed > you of a preferred set of 2 name servers. Place one of them in your > hosts(5) file. This will help ensure that ntpdate(8) can reliablyok. i.e. cut-off unbound from FreeBSD tree. We don't need unbound and will always use name servers from upstream, yes?> discover your regional time server. > > That should get you where you want to go. :-)I am want working setup after FreeBSD installer. I think best solution is disable enforciment in case of STA_UNSYNC. % ntptime ntp_gettime() returns code 0 (OK) time db0a9e2b.4bd3a1d4 Tue, Jun 14 2016 18:15:55.296, (.296198421), maximum error 569983 us, estimated error 2912 us, TAI offset 0 ntp_adjtime() returns code 0 (OK) modes 0x0 (), offset 3993.151 us, frequency 0.240 ppm, interval 1 s, maximum error 569983 us, estimated error 2912 us, status 0x2001 (PLL,NANO), ^^^^^^^^^^^^^^^^^^^^^^^^^^ -- OK, may be enforciment. time constant 10, precision 0.001 us, tolerance 496 ppm, Not only for unbound, for SSL too. And may be in the other places.> --Chris > > > > > If your system gets its address through DHCP, it is probably > > > getting DNS server addresses as well, and would work fine *without* your > > > configuring any of the DNS state. > > > > I am have static address and don't getting DNS server address. > > > > > >> problem on any of my systems, and I've never configured an anchor on the > > > >> internal systems. > > > >> > > > >> > IMHO, ntp.conf need to include some numeric IP of public ntp servers. > > > >> > > > >> Ouch; that's a terrible idea, for several different reasons. > > > > > > > > What else? > > > > > > All the normal reasons that hard-coding IP addresses is a bad idea; they > > > can change, you're encouraging a lot of people to use the same ones, etc. > > > > And how to resolve this issuse: > > > > - default install with unbound as recursive DNS server (by default > > enforcing DNSSEC) > > - ntp time synchronisation > > - stale CMOS time (2008 year) > >