From nobody Sat Jul  2 04:02:05 2022
X-Original-To: freebsd-arm@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 29B1A8A41F2
	for <freebsd-arm@mlmmj.nyi.freebsd.org>; Sat,  2 Jul 2022 04:03:31 +0000 (UTC)
	(envelope-from warlock@phouka1.phouka.net)
Received: from phouka1.phouka.net (phouka1.phouka.net [107.170.196.116])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (2048 bits) client-digest SHA256)
	(Client CN "phouka.net", Issuer "Go Daddy Secure Certificate Authority - G2" (not verified))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4LZdhy15wqz3JZn
	for <freebsd-arm@freebsd.org>; Sat,  2 Jul 2022 04:03:30 +0000 (UTC)
	(envelope-from warlock@phouka1.phouka.net)
Received: from phouka1.phouka.net (localhost [127.0.0.1])
	by phouka1.phouka.net (8.16.1/8.16.1) with ESMTPS id 262425HJ045267
	(version=TLSv1.3 cipher=TLS_AES_256_GCM_SHA384 bits=256 verify=NO)
	for <freebsd-arm@freebsd.org>; Fri, 1 Jul 2022 21:02:06 -0700 (PDT)
	(envelope-from warlock@phouka1.phouka.net)
Received: (from warlock@localhost)
	by phouka1.phouka.net (8.16.1/8.16.1/Submit) id 262425Y2045266
	for freebsd-arm@freebsd.org; Fri, 1 Jul 2022 21:02:05 -0700 (PDT)
	(envelope-from warlock)
Date: Fri, 1 Jul 2022 21:02:05 -0700
From: John Kennedy <warlock@phouka.net>
To: freebsd-arm@freebsd.org
Subject: RPI4 + ntpdate + unbound
Message-ID: <Yr/DPWc9Y+rp0J78@phouka1.phouka.net>
List-Id: Porting FreeBSD to ARM processors <freebsd-arm.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/freebsd-arm
List-Help: <mailto:freebsd-arm+help@freebsd.org>
List-Post: <mailto:freebsd-arm@freebsd.org>
List-Subscribe: <mailto:freebsd-arm+subscribe@freebsd.org>
List-Unsubscribe: <mailto:freebsd-arm+unsubscribe@freebsd.org>
Sender: owner-freebsd-arm@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
X-Rspamd-Queue-Id: 4LZdhy15wqz3JZn
X-Spamd-Bar: -
Authentication-Results: mx1.freebsd.org;
	dkim=none;
	dmarc=none;
	spf=none (mx1.freebsd.org: domain of warlock@phouka1.phouka.net has no SPF policy when checking 107.170.196.116) smtp.mailfrom=warlock@phouka1.phouka.net
X-Spamd-Result: default: False [-1.78 / 15.00];
	 ARC_NA(0.00)[];
	 NEURAL_HAM_MEDIUM(-0.98)[-0.984];
	 FROM_HAS_DN(0.00)[];
	 TO_MATCH_ENVRCPT_ALL(0.00)[];
	 NEURAL_HAM_LONG(-1.00)[-1.000];
	 MIME_GOOD(-0.10)[text/plain];
	 TO_DN_NONE(0.00)[];
	 PREVIOUSLY_DELIVERED(0.00)[freebsd-arm@freebsd.org];
	 AUTH_NA(1.00)[];
	 RCPT_COUNT_ONE(0.00)[1];
	 MID_RHS_MATCH_FROMTLD(0.00)[];
	 NEURAL_HAM_SHORT(-0.99)[-0.994];
	 DMARC_NA(0.00)[phouka.net];
	 MLMMJ_DEST(0.00)[freebsd-arm];
	 FORGED_SENDER(0.30)[warlock@phouka.net,warlock@phouka1.phouka.net];
	 R_SPF_NA(0.00)[no SPF record];
	 R_DKIM_NA(0.00)[];
	 MIME_TRACE(0.00)[0:+];
	 ASN(0.00)[asn:14061, ipnet:107.170.192.0/18, country:US];
	 FROM_NEQ_ENVFROM(0.00)[warlock@phouka.net,warlock@phouka1.phouka.net];
	 RCVD_TLS_ALL(0.00)[];
	 RCVD_COUNT_TWO(0.00)[2]
X-ThisMailContainsUnwantedMimeParts: N

  So I've got a RPI4 (no system time stored in NVRAM) that I did a stock
type FreeBSD install on setting the time with ntpdate and the unbound
DNS server (aiming for DNSSEC).  As many people have noted before me,
that setup is sort of broken because you can't look up DNSSEC hosts if
you think it's 1970.  No NTP time servers == no date reset == no DNS.

  This example is probably terrible, but starting talk point:

     $ grep -E '(ntpdate|unbound)' /etc/rc.conf
	ntpdate_enable="YES"
	ntpdate_XXX_dns="8.8.8.8"
	ntpdate_hosts="0.freebsd.pool.ntp.org"
	local_unbound_enable="YES"

  I basically added ntpdate_XXX_dns (pick a better name) to trigger the
new behavior.  If it at the ntpdate_hosts are set (I needed something to
feed to the /usr/bin/host program), then I build a list of IPs to feed
to ntpdate bypassing unbound's DNSSEC lookup.

  The tee to /dev/console is just a way of showing what is processed:

    # /etc/rc.d/ntpdate restart
	Using domain server:
	Name: 8.8.8.8
	Address: 8.8.8.8#53
	Aliases:

	0.freebsd.pool.ntp.org has address 51.89.85.70
	0.freebsd.pool.ntp.org has address 23.92.64.226
	0.freebsd.pool.ntp.org has address 178.62.16.103
	0.freebsd.pool.ntp.org has address 130.255.77.87
	XXX ntpdate_hosts -> 51.89.85.70 23.92.64.226 178.62.16.103 130.255.77.87
	Setting date via ntp.
	 1 Jul 20:39:15 ntpdate[19554]: step time server 178.62.16.103 offset -0.006001 sec

  That is a totally insecure way of ingesting IPs (trusting DNS, which
might potentially find a way to append shell commands).  But again, just
a starting point to throw ideas at.

--- /usr/src/libexec/rc/rc.d/ntpdate	2022-06-25 15:39:37.070933000 -0700
+++ /etc/rc.d/ntpdate	2022-07-01 20:39:01.793869000 -0700
@@ -25,6 +25,12 @@
 			    else                    {print $2}}
 		' < "$ntpdate_config"`
 	fi
+	if [ -n " $ntpdate_XXX_dns" -a -n "$ntpdate_hosts" ]; then
+		host $ntpdate_hosts $ntpdate_XXX_dns
+		ntpdate_hosts=`host 0.freebsd.pool.ntp.org 8.8.8.8 | tee /dev/console | \
+			grep 'has address' | sed -E 's/^.* has address (.*$)/\1/' | xargs`
+		echo "XXX ntpdate_hosts -> $ntpdate_hosts"
+	fi
 	if [ -n "$ntpdate_hosts" -o -n "$rc_flags" ]; then
 		echo "Setting date via ntp."
 		${ntpdate_program:-ntpdate} $rc_flags $ntpdate_hosts