Date: Fri, 1 Jul 2022 22:49:33 -1000 From: David Cornejo <dave@dogwood.com> To: John Kennedy <warlock@phouka.net> Cc: freebsd-arm@freebsd.org Subject: Re: RPI4 + ntpdate + unbound Message-ID: <CAFnjQbuLQJJ9Y1wvGPB7kEeAts_WZXTj7T0ZU5o8TP9NvcKUGg@mail.gmail.com> In-Reply-To: <Yr/DPWc9Y%2Brp0J78@phouka1.phouka.net> References: <Yr/DPWc9Y%2Brp0J78@phouka1.phouka.net>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Jul 1, 2022 at 6:03 PM John Kennedy <warlock@phouka.net> wrote:
>
> So I've got a RPI4 (no system time stored in NVRAM) that I did a stock
> type FreeBSD install on setting the time with ntpdate and the unbound
> DNS server (aiming for DNSSEC). As many people have noted before me,
> that setup is sort of broken because you can't look up DNSSEC hosts if
> you think it's 1970. No NTP time servers =3D=3D no date reset =3D=3D no =
DNS.
>
> This example is probably terrible, but starting talk point:
>
> $ grep -E '(ntpdate|unbound)' /etc/rc.conf
> ntpdate_enable=3D"YES"
> ntpdate_XXX_dns=3D"8.8.8.8"
> ntpdate_hosts=3D"0.freebsd.pool.ntp.org"
> local_unbound_enable=3D"YES"
>
> I basically added ntpdate_XXX_dns (pick a better name) to trigger the
> new behavior. If it at the ntpdate_hosts are set (I needed something to
> feed to the /usr/bin/host program), then I build a list of IPs to feed
> to ntpdate bypassing unbound's DNSSEC lookup.
>
> The tee to /dev/console is just a way of showing what is processed:
>
> # /etc/rc.d/ntpdate restart
> Using domain server:
> Name: 8.8.8.8
> Address: 8.8.8.8#53
> Aliases:
>
> 0.freebsd.pool.ntp.org has address 51.89.85.70
> 0.freebsd.pool.ntp.org has address 23.92.64.226
> 0.freebsd.pool.ntp.org has address 178.62.16.103
> 0.freebsd.pool.ntp.org has address 130.255.77.87
> XXX ntpdate_hosts -> 51.89.85.70 23.92.64.226 178.62.16.103 130.2=
55.77.87
> Setting date via ntp.
> 1 Jul 20:39:15 ntpdate[19554]: step time server 178.62.16.103 of=
fset -0.006001 sec
>
> That is a totally insecure way of ingesting IPs (trusting DNS, which
> might potentially find a way to append shell commands). But again, just
> a starting point to throw ideas at.
>
> --- /usr/src/libexec/rc/rc.d/ntpdate 2022-06-25 15:39:37.070933000 -07=
00
> +++ /etc/rc.d/ntpdate 2022-07-01 20:39:01.793869000 -0700
> @@ -25,6 +25,12 @@
> else {print $2}}
> ' < "$ntpdate_config"`
> fi
> + if [ -n " $ntpdate_XXX_dns" -a -n "$ntpdate_hosts" ]; then
> + host $ntpdate_hosts $ntpdate_XXX_dns
> + ntpdate_hosts=3D`host 0.freebsd.pool.ntp.org 8.8.8.8 | te=
e /dev/console | \
> + grep 'has address' | sed -E 's/^.* has address (.=
*$)/\1/' | xargs`
> + echo "XXX ntpdate_hosts -> $ntpdate_hosts"
> + fi
> if [ -n "$ntpdate_hosts" -o -n "$rc_flags" ]; then
> echo "Setting date via ntp."
> ${ntpdate_program:-ntpdate} $rc_flags $ntpdate_hosts
>
I always hated this about the RPIs - I put a DS3231 on mine and the
problem disappears. (there are cheaper chips, less temperature
compensation that should work fine). Your solution also requires a
working internet connection. I've also added a junk-box stratum 1
server on a UPS, while this was not expensive, it is a lot more than
an add-on clock, When completely isolated from the internet I can
still sync my clocks.
dave c
--=20
Kailua, Hawai=CA=BBi
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?CAFnjQbuLQJJ9Y1wvGPB7kEeAts_WZXTj7T0ZU5o8TP9NvcKUGg>