From nobody Sat Jul 2 04:02:05 2022 X-Original-To: freebsd-arm@mlmmj.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 29B1A8A41F2 for ; Sat, 2 Jul 2022 04:03:31 +0000 (UTC) (envelope-from warlock@phouka1.phouka.net) Received: from phouka1.phouka.net (phouka1.phouka.net [107.170.196.116]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256 client-signature RSA-PSS (2048 bits) client-digest SHA256) (Client CN "phouka.net", Issuer "Go Daddy Secure Certificate Authority - G2" (not verified)) by mx1.freebsd.org (Postfix) with ESMTPS id 4LZdhy15wqz3JZn for ; Sat, 2 Jul 2022 04:03:30 +0000 (UTC) (envelope-from warlock@phouka1.phouka.net) Received: from phouka1.phouka.net (localhost [127.0.0.1]) by phouka1.phouka.net (8.16.1/8.16.1) with ESMTPS id 262425HJ045267 (version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO) for ; Fri, 1 Jul 2022 21:02:06 -0700 (PDT) (envelope-from warlock@phouka1.phouka.net) Received: (from warlock@localhost) by phouka1.phouka.net (8.16.1/8.16.1/Submit) id 262425Y2045266 for freebsd-arm@freebsd.org; Fri, 1 Jul 2022 21:02:05 -0700 (PDT) (envelope-from warlock) Date: Fri, 1 Jul 2022 21:02:05 -0700 From: John Kennedy To: freebsd-arm@freebsd.org Subject: RPI4 + ntpdate + unbound Message-ID: List-Id: Porting FreeBSD to ARM processors List-Archive: https://lists.freebsd.org/archives/freebsd-arm List-Help: List-Post: List-Subscribe: List-Unsubscribe: Sender: owner-freebsd-arm@freebsd.org MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline X-Rspamd-Queue-Id: 4LZdhy15wqz3JZn X-Spamd-Bar: - Authentication-Results: mx1.freebsd.org; dkim=none; dmarc=none; spf=none (mx1.freebsd.org: domain of warlock@phouka1.phouka.net has no SPF policy when checking 107.170.196.116) smtp.mailfrom=warlock@phouka1.phouka.net X-Spamd-Result: default: False [-1.78 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-0.98)[-0.984]; FROM_HAS_DN(0.00)[]; TO_MATCH_ENVRCPT_ALL(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000]; MIME_GOOD(-0.10)[text/plain]; TO_DN_NONE(0.00)[]; PREVIOUSLY_DELIVERED(0.00)[freebsd-arm@freebsd.org]; AUTH_NA(1.00)[]; RCPT_COUNT_ONE(0.00)[1]; MID_RHS_MATCH_FROMTLD(0.00)[]; NEURAL_HAM_SHORT(-0.99)[-0.994]; DMARC_NA(0.00)[phouka.net]; MLMMJ_DEST(0.00)[freebsd-arm]; FORGED_SENDER(0.30)[warlock@phouka.net,warlock@phouka1.phouka.net]; R_SPF_NA(0.00)[no SPF record]; R_DKIM_NA(0.00)[]; MIME_TRACE(0.00)[0:+]; ASN(0.00)[asn:14061, ipnet:107.170.192.0/18, country:US]; FROM_NEQ_ENVFROM(0.00)[warlock@phouka.net,warlock@phouka1.phouka.net]; RCVD_TLS_ALL(0.00)[]; RCVD_COUNT_TWO(0.00)[2] X-ThisMailContainsUnwantedMimeParts: N So I've got a RPI4 (no system time stored in NVRAM) that I did a stock type FreeBSD install on setting the time with ntpdate and the unbound DNS server (aiming for DNSSEC). As many people have noted before me, that setup is sort of broken because you can't look up DNSSEC hosts if you think it's 1970. No NTP time servers == no date reset == no DNS. This example is probably terrible, but starting talk point: $ grep -E '(ntpdate|unbound)' /etc/rc.conf ntpdate_enable="YES" ntpdate_XXX_dns="8.8.8.8" ntpdate_hosts="0.freebsd.pool.ntp.org" local_unbound_enable="YES" I basically added ntpdate_XXX_dns (pick a better name) to trigger the new behavior. If it at the ntpdate_hosts are set (I needed something to feed to the /usr/bin/host program), then I build a list of IPs to feed to ntpdate bypassing unbound's DNSSEC lookup. The tee to /dev/console is just a way of showing what is processed: # /etc/rc.d/ntpdate restart Using domain server: Name: 8.8.8.8 Address: 8.8.8.8#53 Aliases: 0.freebsd.pool.ntp.org has address 51.89.85.70 0.freebsd.pool.ntp.org has address 23.92.64.226 0.freebsd.pool.ntp.org has address 178.62.16.103 0.freebsd.pool.ntp.org has address 130.255.77.87 XXX ntpdate_hosts -> 51.89.85.70 23.92.64.226 178.62.16.103 130.255.77.87 Setting date via ntp. 1 Jul 20:39:15 ntpdate[19554]: step time server 178.62.16.103 offset -0.006001 sec That is a totally insecure way of ingesting IPs (trusting DNS, which might potentially find a way to append shell commands). But again, just a starting point to throw ideas at. --- /usr/src/libexec/rc/rc.d/ntpdate 2022-06-25 15:39:37.070933000 -0700 +++ /etc/rc.d/ntpdate 2022-07-01 20:39:01.793869000 -0700 @@ -25,6 +25,12 @@ else {print $2}} ' < "$ntpdate_config"` fi + if [ -n " $ntpdate_XXX_dns" -a -n "$ntpdate_hosts" ]; then + host $ntpdate_hosts $ntpdate_XXX_dns + ntpdate_hosts=`host 0.freebsd.pool.ntp.org 8.8.8.8 | tee /dev/console | \ + grep 'has address' | sed -E 's/^.* has address (.*$)/\1/' | xargs` + echo "XXX ntpdate_hosts -> $ntpdate_hosts" + fi if [ -n "$ntpdate_hosts" -o -n "$rc_flags" ]; then echo "Setting date via ntp." ${ntpdate_program:-ntpdate} $rc_flags $ntpdate_hosts