From owner-freebsd-stable@freebsd.org Tue Jun 14 15:22:23 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 097A6AF22BB for ; Tue, 14 Jun 2016 15:22:23 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id EC7A12D2B for ; Tue, 14 Jun 2016 15:22:22 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: by mailman.ysv.freebsd.org (Postfix) id EBBD3AF22BA; Tue, 14 Jun 2016 15:22:22 +0000 (UTC) Delivered-To: stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id EB5B7AF22B9 for ; Tue, 14 Jun 2016 15:22:22 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from udns.ultimatedns.net (static-24-113-41-81.wavecable.com [24.113.41.81]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id BFAF32D28 for ; Tue, 14 Jun 2016 15:22:22 +0000 (UTC) (envelope-from bsd-lists@bsdforge.com) Received: from ultimatedns.net (localhost [127.0.0.1]) by udns.ultimatedns.net (8.14.9/8.14.9) with ESMTP id u5EEtQxT064262; Tue, 14 Jun 2016 07:55:32 -0700 (PDT) (envelope-from bsd-lists@bsdforge.com) To: stable@freebsd.org, Slawa Olhovchenkov In-Reply-To: <20160606135018.GL75630@zxy.spb.ru> References: <20160602122727.GB75625@zxy.spb.ru> <44lh2mi0k5.fsf@lowell-desk.lan> <20160603191523.GE75630@zxy.spb.ru> <44y46ie92p.fsf@lowell-desk.lan>, <20160606135018.GL75630@zxy.spb.ru> From: "Chris H" Subject: Re: unbound and ntp issuse Date: Tue, 14 Jun 2016 07:55:34 -0700 Content-Type: text/plain; charset=UTF-8; format=fixed MIME-Version: 1.0 Message-id: <92f831de110ce2d6c5c646ac0fe67bbb@ultimatedns.net> Content-Transfer-Encoding: 8bit X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Jun 2016 15:22:23 -0000 I'm playing catchup on my INBOX, so apologies in advance, if this has already been satisfactorily answered... On Mon, 6 Jun 2016 16:50:18 +0300 Slawa Olhovchenkov wrote > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote: > > > Slawa Olhovchenkov writes: > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote: > > > > > >> Slawa Olhovchenkov writes: > > >> > > >> > Default install with local_unbound and ntpd can't be functional with > > >> > incorrect date/time in BIOS: > > >> > > > >> > Unbound requred correct time for DNSSEC check and refuseing queries > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > > >> > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't > > >> > resolve (see above, about DNSKEY). > > >> > > >> I can't see how this would happen. DNSSEC doesn't seem to be required in > > >> a regular install as far as I can see. Certainly I don't have any > > > > > > I don't know reasson for enforcing DNSSEC in regular install. > > > I am just select 'local_unbound' at setup time and enter '127.0.0.1' as > > > nameserver address. > > > > That's not enough to configure unbound as a fully recursive DNS > > server. > > What I am missing? > Need to fix unbound setup scripts? bsdinstall scripts? > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and > configured unbound as fully recursive DNS server. May I suggest ntpdate(8)? Find a reliable time server in your region, and once found add it *early* in your rc.conf(5). Well, ahead of your unbound stanza. ie; hostname="..." ifconfig_re0="inet ... netmask ..." defaultrouter="..." ntpdate_enable="YES" ntpdate_hosts="a reliable regional time server" .. unbound_enable="YES" .. ALSO. Since you're upstream will, in all likelihood have informed you of a preferred set of 2 name servers. Place one of them in your hosts(5) file. This will help ensure that ntpdate(8) can reliably discover your regional time server. That should get you where you want to go. :-) --Chris > > > If your system gets its address through DHCP, it is probably > > getting DNS server addresses as well, and would work fine *without* your > > configuring any of the DNS state. > > I am have static address and don't getting DNS server address. > > > >> problem on any of my systems, and I've never configured an anchor on the > > >> internal systems. > > >> > > >> > IMHO, ntp.conf need to include some numeric IP of public ntp servers. > > >> > > >> Ouch; that's a terrible idea, for several different reasons. > > > > > > What else? > > > > All the normal reasons that hard-coding IP addresses is a bad idea; they > > can change, you're encouraging a lot of people to use the same ones, etc. > > And how to resolve this issuse: > > - default install with unbound as recursive DNS server (by default > enforcing DNSSEC) > - ntp time synchronisation > - stale CMOS time (2008 year)