Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

unbound and ntp issuse

10 views
Skip to first unread message

Slawa Olhovchenkov

unread,
Jun 2, 2016, 12:30:44 PM6/2/16
to
Default install with local_unbound and ntpd can't be functional with
incorrect date/time in BIOS:

Unbound requred correct time for DNSSEC check and refuseing queries
("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")

ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
resolve (see above, about DNSKEY).

IMHO, ntp.conf need to include some numeric IP of public ntp servers.

# date
Tue Jul 1 20:36:31 MSD 2008


_______________________________________________
freebsd-...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-security
To unsubscribe, send any mail to "freebsd-securi...@freebsd.org"

Lowell Gilbert

unread,
Jun 3, 2016, 2:34:54 PM6/3/16
to
Slawa Olhovchenkov <s...@zxy.spb.ru> writes:

> Default install with local_unbound and ntpd can't be functional with
> incorrect date/time in BIOS:
>
> Unbound requred correct time for DNSSEC check and refuseing queries
> ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime
> trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
>
> ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
> symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
> resolve (see above, about DNSKEY).

I can't see how this would happen. DNSSEC doesn't seem to be required in
a regular install as far as I can see. Certainly I don't have any
problem on any of my systems, and I've never configured an anchor on the
internal systems.

> IMHO, ntp.conf need to include some numeric IP of public ntp servers.

Ouch; that's a terrible idea, for several different reasons.

Slawa Olhovchenkov

unread,
Jun 3, 2016, 3:15:46 PM6/3/16
to
On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote:

> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
>
> > Default install with local_unbound and ntpd can't be functional with
> > incorrect date/time in BIOS:
> >
> > Unbound requred correct time for DNSSEC check and refuseing queries
> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime
> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
> >
> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
> > resolve (see above, about DNSKEY).
>
> I can't see how this would happen. DNSSEC doesn't seem to be required in
> a regular install as far as I can see. Certainly I don't have any

I don't know reasson for enforcing DNSSEC in regular install.
I am just select `local_unbound` at setup time and enter `127.0.0.1` as
nameserver address.

> problem on any of my systems, and I've never configured an anchor on the
> internal systems.
>
> > IMHO, ntp.conf need to include some numeric IP of public ntp servers.
>
> Ouch; that's a terrible idea, for several different reasons.

What else?

Dag-Erling Smørgrav

unread,
Jun 7, 2016, 8:30:02 PM6/7/16
to
Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
> IMHO, ntp.conf need to include some numeric IP of public ntp servers.

https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse
https://en.wikipedia.org/wiki/Poul-Henning_Kamp#Dispute_with_D-Link

DES
--
Dag-Erling Smørgrav - d...@des.no

Slawa Olhovchenkov

unread,
Jun 8, 2016, 5:49:21 AM6/8/16
to
On Wed, Jun 08, 2016 at 02:29:29AM +0200, Dag-Erling Smørgrav wrote:

> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
> > IMHO, ntp.conf need to include some numeric IP of public ntp servers.
>
> https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse
> https://en.wikipedia.org/wiki/Poul-Henning_Kamp#Dispute_with_D-Link

What you suggestion?

Slawa Olhovchenkov

unread,
Jun 9, 2016, 4:05:07 AM6/9/16
to
On Thu, Jun 09, 2016 at 08:39:42AM +0100, krad wrote:

> googles will be pretty static, but i would just use them as a one off, ie
> with ntpdate

i am talk about freebsd system/project.

>
> On 8 June 2016 at 10:48, Slawa Olhovchenkov <s...@zxy.spb.ru> wrote:
>
> > On Wed, Jun 08, 2016 at 02:29:29AM +0200, Dag-Erling Smørgrav wrote:
> >
> > > Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
> > > > IMHO, ntp.conf need to include some numeric IP of public ntp servers.
> > >
> > > https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse
> > > https://en.wikipedia.org/wiki/Poul-Henning_Kamp#Dispute_with_D-Link
> >
> > What you suggestion?
> >
> > _______________________________________________

> > freebsd...@freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > To unsubscribe, send any mail to "freebsd-stabl...@freebsd.org"

Slawa Olhovchenkov

unread,
Jun 9, 2016, 9:38:05 AM6/9/16
to
On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote:

> I doubt that will happen as you are asking to pollute every release
> installation for an edge condition when there is numerous work arounds
> that would be acceptable to most. eg two lines in rc.conf will fix the
> issue.

This manual editing will be required by every install on RPi, for
example.

Also, this issuse hard to dignostics by average user.

Slawa Olhovchenkov

unread,
Jun 10, 2016, 9:18:19 AM6/10/16
to
On Fri, Jun 10, 2016 at 12:53:04PM +0100, krad wrote:

> Pretty much every box requires some form of configuration so its a moot
> point. IF you want automated deployment you will almost certainly be
> building a pxe or prepreared usb/cd image of some sort. In which case you
> include these settings in the deployed rc.conf.

This sound like "installer and default config not need, use ansible
for all"

0 new messages