Date: Fri, 1 Jul 2022 21:02:05 -0700 From: John Kennedy <warlock@phouka.net> To: freebsd-arm@freebsd.org Subject: RPI4 + ntpdate + unbound Message-ID: <Yr/DPWc9Y%2Brp0J78@phouka1.phouka.net>
next in thread | raw e-mail | index | archive | help
So I've got a RPI4 (no system time stored in NVRAM) that I did a stock
type FreeBSD install on setting the time with ntpdate and the unbound
DNS server (aiming for DNSSEC). As many people have noted before me,
that setup is sort of broken because you can't look up DNSSEC hosts if
you think it's 1970. No NTP time servers == no date reset == no DNS.
This example is probably terrible, but starting talk point:
$ grep -E '(ntpdate|unbound)' /etc/rc.conf
ntpdate_enable="YES"
ntpdate_XXX_dns="8.8.8.8"
ntpdate_hosts="0.freebsd.pool.ntp.org"
local_unbound_enable="YES"
I basically added ntpdate_XXX_dns (pick a better name) to trigger the
new behavior. If it at the ntpdate_hosts are set (I needed something to
feed to the /usr/bin/host program), then I build a list of IPs to feed
to ntpdate bypassing unbound's DNSSEC lookup.
The tee to /dev/console is just a way of showing what is processed:
# /etc/rc.d/ntpdate restart
Using domain server:
Name: 8.8.8.8
Address: 8.8.8.8#53
Aliases:
0.freebsd.pool.ntp.org has address 51.89.85.70
0.freebsd.pool.ntp.org has address 23.92.64.226
0.freebsd.pool.ntp.org has address 178.62.16.103
0.freebsd.pool.ntp.org has address 130.255.77.87
XXX ntpdate_hosts -> 51.89.85.70 23.92.64.226 178.62.16.103 130.255.77.87
Setting date via ntp.
1 Jul 20:39:15 ntpdate[19554]: step time server 178.62.16.103 offset -0.006001 sec
That is a totally insecure way of ingesting IPs (trusting DNS, which
might potentially find a way to append shell commands). But again, just
a starting point to throw ideas at.
--- /usr/src/libexec/rc/rc.d/ntpdate 2022-06-25 15:39:37.070933000 -0700
+++ /etc/rc.d/ntpdate 2022-07-01 20:39:01.793869000 -0700
@@ -25,6 +25,12 @@
else {print $2}}
' < "$ntpdate_config"`
fi
+ if [ -n " $ntpdate_XXX_dns" -a -n "$ntpdate_hosts" ]; then
+ host $ntpdate_hosts $ntpdate_XXX_dns
+ ntpdate_hosts=`host 0.freebsd.pool.ntp.org 8.8.8.8 | tee /dev/console | \
+ grep 'has address' | sed -E 's/^.* has address (.*$)/\1/' | xargs`
+ echo "XXX ntpdate_hosts -> $ntpdate_hosts"
+ fi
if [ -n "$ntpdate_hosts" -o -n "$rc_flags" ]; then
echo "Setting date via ntp."
${ntpdate_program:-ntpdate} $rc_flags $ntpdate_hosts
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?Yr/DPWc9Y%2Brp0J78>