Skip site navigation (1)Skip section navigation (2)
Date:      Tue, 7 Jun 2016 11:47:33 +0300
From:      Slawa Olhovchenkov <slw@zxy.spb.ru>
To:        krad <kraduk@gmail.com>
Cc:        "stable@freebsd.org" <stable@freebsd.org>
Subject:   Re: unbound and ntp issuse
Message-ID:  <20160607084733.GM75630@zxy.spb.ru>
In-Reply-To: <CALfReye2A8XBcjSg%2BB0Z7_j4HJsF9h7EAEjAW4Li2F5c=846YA@mail.gmail.com>
References:  <20160602122727.GB75625@zxy.spb.ru> <44lh2mi0k5.fsf@lowell-desk.lan> <20160603191523.GE75630@zxy.spb.ru> <44y46ie92p.fsf@lowell-desk.lan> <20160606135018.GL75630@zxy.spb.ru> <CALfReye2A8XBcjSg%2BB0Z7_j4HJsF9h7EAEjAW4Li2F5c=846YA@mail.gmail.com>

next in thread | previous in thread | raw e-mail | index | archive | help
On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote:

> Well there is a deadlock situation there so you have to relax one of the
> conditions, for one time at least.
> 
> Your best bet is to do a manual ntpdate against a fixed ip of known
> goodness. If you have a lot of machines you need to do this on, use ansible
> or similar to do the heavy lifting for you. Ansible is best in my opinion
> if you dont have anything setup as its quick to get going. It does require
> python on the target machines so you would need to install that first.
> Something like the following should get it working (as you dont have dns on
> the target machine, package fetches wont work, so i would tunnel a squid
> proxy and let that handle all the internet stuff.
> 
> add something like the following to your ssh_config
> 
> Host *
> RemoteForward 31280 squid_server:3128
> 
> then run some stuff like this (after installing ansible on your
> desktop/bastion host)
> 
> ansible  -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy=
> http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i
> <host_list_file> -kS --ask-su-pass
> 
> ansible  -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy=
> http://127.0.0.1:31280 pkg install python' -u root -i <host_list_file>
> -kS --ask-su-pass
> 
> ansible -m shell -a "ntpdate <good_ntp_server_ip>"  -kS --ask-su-pass -i
> <host_list_file>
> 
> from here on you should be able to start unbound and then ntpd eg
> 
> ansible -m service -a "name=local_unbound state=restarted"
>  -kS --ask-su-pass -i <host_list_file>
> ansible -m service -a "name=ntpd state=restarted"  -kS --ask-su-pass -i
> <host_list_file
> 
> Alternatively you could just relax your dnssec rules on first boot to give
> ntp a chance. Probably much easier 8)

How I am do it? I am don't touch dnssec rules and don't know unbound.
May be this is posible by startup scripts?
Also, some platforms lack of CMOS time, RPi, for example.

> Also make sure you are using the '-g' flag on ntpd

Yes, I am add `ntpd_sync_on_start=yes` to rc.conf.
I am suggest do it by checkbox in bsdinstall.


> On 6 June 2016 at 14:50, Slawa Olhovchenkov <slw@zxy.spb.ru> wrote:
> 
> > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote:
> >
> > > Slawa Olhovchenkov <slw@zxy.spb.ru> writes:
> > >
> > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote:
> > > >
> > > >> Slawa Olhovchenkov <slw@zxy.spb.ru> writes:
> > > >>
> > > >> > Default install with local_unbound and ntpd can't be functional with
> > > >> > incorrect date/time in BIOS:
> > > >> >
> > > >> > Unbound requred correct time for DNSSEC check and refuseing queries
> > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime
> > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
> > > >> >
> > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
> > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
> > > >> > resolve (see above, about DNSKEY).
> > > >>
> > > >> I can't see how this would happen. DNSSEC doesn't seem to be required
> > in
> > > >> a regular install as far as I can see. Certainly I don't have any
> > > >
> > > > I don't know reasson for enforcing DNSSEC in regular install.
> > > > I am just select `local_unbound` at setup time and enter `127.0.0.1` as
> > > > nameserver address.
> > >
> > > That's not enough to configure unbound as a fully recursive DNS
> > > server.
> >
> > What I am missing?
> > Need to fix unbound setup scripts? bsdinstall scripts?
> > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and
> > configured unbound as fully recursive DNS server.
> >
> > > If your system gets its address through DHCP, it is probably
> > > getting DNS server addresses as well, and would work fine *without* your
> > > configuring any of the DNS state.
> >
> > I am have static address and don't getting DNS server address.
> >
> > > >> problem on any of my systems, and I've never configured an anchor on
> > the
> > > >> internal systems.
> > > >>
> > > >> > IMHO, ntp.conf need to include some numeric IP of public ntp
> > servers.
> > > >>
> > > >> Ouch; that's a terrible idea, for several different reasons.
> > > >
> > > > What else?
> > >
> > > All the normal reasons that hard-coding IP addresses is a bad idea; they
> > > can change, you're encouraging a lot of people to use the same ones, etc.
> >
> > And how to resolve this issuse:
> >
> > - default install with unbound as recursive DNS server (by default
> >   enforcing DNSSEC)
> > - ntp time synchronisation
> > - stale CMOS time (2008 year)
> > _______________________________________________
> > freebsd-stable@freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org"
> >



Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20160607084733.GM75630>