From owner-freebsd-stable@freebsd.org Tue Jun 7 08:00:32 2016 Return-Path: Delivered-To: freebsd-stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 6630FB6E79E for ; Tue, 7 Jun 2016 08:00:32 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: from mailman.ysv.freebsd.org (mailman.ysv.freebsd.org [IPv6:2001:1900:2254:206a::50:5]) by mx1.freebsd.org (Postfix) with ESMTP id 463DA1047 for ; Tue, 7 Jun 2016 08:00:32 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: by mailman.ysv.freebsd.org (Postfix) id 45902B6E79D; Tue, 7 Jun 2016 08:00:32 +0000 (UTC) Delivered-To: stable@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 45351B6E79C for ; Tue, 7 Jun 2016 08:00:32 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: from mail-wm0-x229.google.com (mail-wm0-x229.google.com [IPv6:2a00:1450:400c:c09::229]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id C5AA31046 for ; Tue, 7 Jun 2016 08:00:31 +0000 (UTC) (envelope-from kraduk@gmail.com) Received: by mail-wm0-x229.google.com with SMTP id v199so6733704wmv.0 for ; Tue, 07 Jun 2016 01:00:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:in-reply-to:references:from:date:message-id:subject:to :cc; bh=T5W+/4DBxFyHy3K/RyFfMSbeTsfrl7AY+Bi2x3yRBL0=; b=My6bMOB2/ONLAK7XQSl+6Ze43twM7xvQZYgMXK4cUhttkx0LoBvBKzqLoN937eEh4f f26QJ8UEUGWYZUqR5bzuNF3pGX80u1T8RlsIrDmNGZ7tvgDcUGrxPux21nkH8NXyS10g yFq3YYR2Bu5Ts/WBVKynPbXcBA7YLNUFK3f0tNGXmeiFClmR0wxiTH0wxBbjy2/Eu0Jy 5CQjBs3JRF8eoya1k8w2ImCWpSm8v9tvcE7/LbLbQwHCDjogOvaJ8zymf2Bnrcf2lTIT Z+E2io1RhVQ2YMAOCZNnGd7qyIVwwe4ZVR6zuP9mBXMzuDPAvJO5nS+9XUP0cL44Ug2R m81g== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20130820; h=x-gm-message-state:mime-version:in-reply-to:references:from:date :message-id:subject:to:cc; bh=T5W+/4DBxFyHy3K/RyFfMSbeTsfrl7AY+Bi2x3yRBL0=; b=Hu4y570tYFUroUj5GMhUNlKyT+cVtB6i+LWZF2eCM7JLqn468OeK8KWgEOreYGIFTy W6YcWBKFjzEZ+W5x1bU8O8/HB6zOOjn+K0ql2dqoHBaWzOWCJ0n6B0WyFXJzyvS9IT3H Is/v2MbhvhMfsG1X0r1o/Gy970LoXO3ujn3X3gaOZrAo3VZtHNgia80bNLeL0oPkodCy xnrgal+1Bh420eRKo04nSqRi4xkV435UTEj4CHppWOFTR0Ipq/PxKGCzIPY07aPlknfO SQTlft0vDgVbdou2XYhfxBEkc26t0QinhcdVeM5ZCiAJK9XccXQ07UbjvD6PckxJbnh3 6oPQ== X-Gm-Message-State: ALyK8tIw2/JnaPE+psXa0FyqpAAdhBkk7BgGXB1jnV2pbRliZlM4xP9APgGL/Q4r0mnldp0bYMDmhmGMJmw3gQ== X-Received: by 10.28.174.141 with SMTP id x135mr1325621wme.48.1465286430226; Tue, 07 Jun 2016 01:00:30 -0700 (PDT) MIME-Version: 1.0 Received: by 10.28.6.12 with HTTP; Tue, 7 Jun 2016 01:00:29 -0700 (PDT) In-Reply-To: <20160606135018.GL75630@zxy.spb.ru> References: <20160602122727.GB75625@zxy.spb.ru> <44lh2mi0k5.fsf@lowell-desk.lan> <20160603191523.GE75630@zxy.spb.ru> <44y46ie92p.fsf@lowell-desk.lan> <20160606135018.GL75630@zxy.spb.ru> From: krad Date: Tue, 7 Jun 2016 09:00:29 +0100 Message-ID: Subject: Re: unbound and ntp issuse To: Slawa Olhovchenkov Cc: "stable@freebsd.org" Content-Type: text/plain; charset=UTF-8 X-Content-Filtered-By: Mailman/MimeDel 2.1.22 X-BeenThere: freebsd-stable@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Production branch of FreeBSD source code List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 07 Jun 2016 08:00:32 -0000 Well there is a deadlock situation there so you have to relax one of the conditions, for one time at least. Your best bet is to do a manual ntpdate against a fixed ip of known goodness. If you have a lot of machines you need to do this on, use ansible or similar to do the heavy lifting for you. Ansible is best in my opinion if you dont have anything setup as its quick to get going. It does require python on the target machines so you would need to install that first. Something like the following should get it working (as you dont have dns on the target machine, package fetches wont work, so i would tunnel a squid proxy and let that handle all the internet stuff. add something like the following to your ssh_config Host * RemoteForward 31280 squid_server:3128 then run some stuff like this (after installing ansible on your desktop/bastion host) ansible -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy= http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i -kS --ask-su-pass ansible -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy= http://127.0.0.1:31280 pkg install python' -u root -i -kS --ask-su-pass ansible -m shell -a "ntpdate " -kS --ask-su-pass -i from here on you should be able to start unbound and then ntpd eg ansible -m service -a "name=local_unbound state=restarted" -kS --ask-su-pass -i ansible -m service -a "name=ntpd state=restarted" -kS --ask-su-pass -i wrote: > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote: > > > Slawa Olhovchenkov writes: > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote: > > > > > >> Slawa Olhovchenkov writes: > > >> > > >> > Default install with local_unbound and ntpd can't be functional with > > >> > incorrect date/time in BIOS: > > >> > > > >> > Unbound requred correct time for DNSSEC check and refuseing queries > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > > >> > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't > > >> > resolve (see above, about DNSKEY). > > >> > > >> I can't see how this would happen. DNSSEC doesn't seem to be required > in > > >> a regular install as far as I can see. Certainly I don't have any > > > > > > I don't know reasson for enforcing DNSSEC in regular install. > > > I am just select `local_unbound` at setup time and enter `127.0.0.1` as > > > nameserver address. > > > > That's not enough to configure unbound as a fully recursive DNS > > server. > > What I am missing? > Need to fix unbound setup scripts? bsdinstall scripts? > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and > configured unbound as fully recursive DNS server. > > > If your system gets its address through DHCP, it is probably > > getting DNS server addresses as well, and would work fine *without* your > > configuring any of the DNS state. > > I am have static address and don't getting DNS server address. > > > >> problem on any of my systems, and I've never configured an anchor on > the > > >> internal systems. > > >> > > >> > IMHO, ntp.conf need to include some numeric IP of public ntp > servers. > > >> > > >> Ouch; that's a terrible idea, for several different reasons. > > > > > > What else? > > > > All the normal reasons that hard-coding IP addresses is a bad idea; they > > can change, you're encouraging a lot of people to use the same ones, etc. > > And how to resolve this issuse: > > - default install with unbound as recursive DNS server (by default > enforcing DNSSEC) > - ntp time synchronisation > - stale CMOS time (2008 year) > _______________________________________________ > freebsd-stable@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscribe@freebsd.org" >