Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss
unbound and ntp issuse
204 views
Skip to first unread message
Slawa Olhovchenkov
Jun 2, 2016, 10:53:58 AM6/2/16
to
Default install with local_unbound and ntpd can't be functional with
incorrect date/time in BIOS:
Unbound requred correct time for DNSSEC check and refuseing queries
("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
resolve (see above, about DNSKEY).
IMHO, ntp.conf need to include some numeric IP of public ntp servers.
# date
Tue Jul 1 20:36:31 MSD 2008
_______________________________________________
freebsd...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stabl...@freebsd.org"
incorrect date/time in BIOS:
Unbound requred correct time for DNSSEC check and refuseing queries
("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
resolve (see above, about DNSKEY).
IMHO, ntp.conf need to include some numeric IP of public ntp servers.
# date
Tue Jul 1 20:36:31 MSD 2008
_______________________________________________
freebsd...@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stabl...@freebsd.org"
Lowell Gilbert
Jun 6, 2016, 9:34:09 AM6/6/16
to
Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
> On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote:
>> a regular install as far as I can see. Certainly I don't have any
>
> I don't know reasson for enforcing DNSSEC in regular install.
> I am just select `local_unbound` at setup time and enter `127.0.0.1` as
> nameserver address.
That's not enough to configure unbound as a fully recursive DNS
server. If your system gets its address through DHCP, it is probably
getting DNS server addresses as well, and would work fine *without* your
configuring any of the DNS state.
>> problem on any of my systems, and I've never configured an anchor on the
>> internal systems.
>
> What else?
All the normal reasons that hard-coding IP addresses is a bad idea; they
can change, you're encouraging a lot of people to use the same ones, etc.
> On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote:
>
>> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
>>
>> > Default install with local_unbound and ntpd can't be functional with
>> > incorrect date/time in BIOS:
>> >
>> > Unbound requred correct time for DNSSEC check and refuseing queries
>> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime
>> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
>> >
>> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
>> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
>> > resolve (see above, about DNSKEY).
>>
>> I can't see how this would happen. DNSSEC doesn't seem to be required in
>> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
>>
>> > Default install with local_unbound and ntpd can't be functional with
>> > incorrect date/time in BIOS:
>> >
>> > Unbound requred correct time for DNSSEC check and refuseing queries
>> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime
>> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
>> >
>> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
>> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
>> > resolve (see above, about DNSKEY).
>>
>> a regular install as far as I can see. Certainly I don't have any
>
> I don't know reasson for enforcing DNSSEC in regular install.
> I am just select `local_unbound` at setup time and enter `127.0.0.1` as
> nameserver address.
That's not enough to configure unbound as a fully recursive DNS
server. If your system gets its address through DHCP, it is probably
getting DNS server addresses as well, and would work fine *without* your
configuring any of the DNS state.
>> problem on any of my systems, and I've never configured an anchor on the
>> internal systems.
>>
>> > IMHO, ntp.conf need to include some numeric IP of public ntp servers.
>>
>> Ouch; that's a terrible idea, for several different reasons.
>> > IMHO, ntp.conf need to include some numeric IP of public ntp servers.
>>
>
> What else?
All the normal reasons that hard-coding IP addresses is a bad idea; they
can change, you're encouraging a lot of people to use the same ones, etc.
Slawa Olhovchenkov
Jun 6, 2016, 10:15:57 AM6/6/16
to
On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote:
> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
>
> > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote:
> >
> >> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
> >>
> >> > Default install with local_unbound and ntpd can't be functional with
> >> > incorrect date/time in BIOS:
> >> >
> >> > Unbound requred correct time for DNSSEC check and refuseing queries
> >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime
> >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
> >> >
> >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
> >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
> >> > resolve (see above, about DNSKEY).
> >>
> >> I can't see how this would happen. DNSSEC doesn't seem to be required in
> >> a regular install as far as I can see. Certainly I don't have any
> >
> > I don't know reasson for enforcing DNSSEC in regular install.
> > I am just select `local_unbound` at setup time and enter `127.0.0.1` as
> > nameserver address.
>
> That's not enough to configure unbound as a fully recursive DNS
> server.
What I am missing?
> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
>
> > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote:
> >
> >> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
> >>
> >> > Default install with local_unbound and ntpd can't be functional with
> >> > incorrect date/time in BIOS:
> >> >
> >> > Unbound requred correct time for DNSSEC check and refuseing queries
> >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime
> >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
> >> >
> >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
> >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
> >> > resolve (see above, about DNSKEY).
> >>
> >> I can't see how this would happen. DNSSEC doesn't seem to be required in
> >> a regular install as far as I can see. Certainly I don't have any
> >
> > I don't know reasson for enforcing DNSSEC in regular install.
> > I am just select `local_unbound` at setup time and enter `127.0.0.1` as
> > nameserver address.
>
> That's not enough to configure unbound as a fully recursive DNS
> server.
Need to fix unbound setup scripts? bsdinstall scripts?
As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and
configured unbound as fully recursive DNS server.
> If your system gets its address through DHCP, it is probably
> getting DNS server addresses as well, and would work fine *without* your
> configuring any of the DNS state.
> >> problem on any of my systems, and I've never configured an anchor on the
> >> internal systems.
> >>
> >> > IMHO, ntp.conf need to include some numeric IP of public ntp servers.
> >>
> >> Ouch; that's a terrible idea, for several different reasons.
> >
> > What else?
>
> All the normal reasons that hard-coding IP addresses is a bad idea; they
> can change, you're encouraging a lot of people to use the same ones, etc.
- default install with unbound as recursive DNS server (by default
enforcing DNSSEC)
- ntp time synchronisation
- stale CMOS time (2008 year)
krad
Jun 7, 2016, 4:01:06 AM6/7/16
to
Well there is a deadlock situation there so you have to relax one of the
conditions, for one time at least.
Your best bet is to do a manual ntpdate against a fixed ip of known
goodness. If you have a lot of machines you need to do this on, use ansible
or similar to do the heavy lifting for you. Ansible is best in my opinion
if you dont have anything setup as its quick to get going. It does require
python on the target machines so you would need to install that first.
Something like the following should get it working (as you dont have dns on
the target machine, package fetches wont work, so i would tunnel a squid
proxy and let that handle all the internet stuff.
add something like the following to your ssh_config
Host *
RemoteForward 31280 squid_server:3128
then run some stuff like this (after installing ansible on your
desktop/bastion host)
ansible -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy=
http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i
<host_list_file> -kS --ask-su-pass
ansible -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy=
http://127.0.0.1:31280 pkg install python' -u root -i <host_list_file>
-kS --ask-su-pass
ansible -m shell -a "ntpdate <good_ntp_server_ip>" -kS --ask-su-pass -i
<host_list_file>
from here on you should be able to start unbound and then ntpd eg
ansible -m service -a "name=local_unbound state=restarted"
-kS --ask-su-pass -i <host_list_file>
ansible -m service -a "name=ntpd state=restarted" -kS --ask-su-pass -i
<host_list_file
Alternatively you could just relax your dnssec rules on first boot to give
ntp a chance. Probably much easier 8)
Also make sure you are using the '-g' flag on ntpd
conditions, for one time at least.
Your best bet is to do a manual ntpdate against a fixed ip of known
goodness. If you have a lot of machines you need to do this on, use ansible
or similar to do the heavy lifting for you. Ansible is best in my opinion
if you dont have anything setup as its quick to get going. It does require
python on the target machines so you would need to install that first.
Something like the following should get it working (as you dont have dns on
the target machine, package fetches wont work, so i would tunnel a squid
proxy and let that handle all the internet stuff.
add something like the following to your ssh_config
Host *
RemoteForward 31280 squid_server:3128
then run some stuff like this (after installing ansible on your
desktop/bastion host)
ansible -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy=
http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i
<host_list_file> -kS --ask-su-pass
ansible -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy=
http://127.0.0.1:31280 pkg install python' -u root -i <host_list_file>
-kS --ask-su-pass
ansible -m shell -a "ntpdate <good_ntp_server_ip>" -kS --ask-su-pass -i
<host_list_file>
from here on you should be able to start unbound and then ntpd eg
ansible -m service -a "name=local_unbound state=restarted"
-kS --ask-su-pass -i <host_list_file>
ansible -m service -a "name=ntpd state=restarted" -kS --ask-su-pass -i
<host_list_file
Alternatively you could just relax your dnssec rules on first boot to give
ntp a chance. Probably much easier 8)
Also make sure you are using the '-g' flag on ntpd
Slawa Olhovchenkov
Jun 7, 2016, 4:48:01 AM6/7/16
to
May be this is posible by startup scripts?
Also, some platforms lack of CMOS time, RPi, for example.
> Also make sure you are using the '-g' flag on ntpd
I am suggest do it by checkbox in bsdinstall.
krad
Jun 7, 2016, 6:36:31 AM6/7/16
to
Like i said you could configure ntpdate as well as ntpd, but give it a
known good ip. It will only run once at boot, and ntpd will start after so
that can use the nice pool names.
A slightly better way maybe to give ntpdate a server hostname like
ntp-server and populated the hosts file with one of the ips from
pool.ntp.org. You could then have a periodic script to check and update the
ip in the hosts every day, so it works over a reboot. The ip would
obviously have to have an initial seed value, but you could work this out
progmatically at system configuration time with tools like ansible.
known good ip. It will only run once at boot, and ntpd will start after so
that can use the nice pool names.
A slightly better way maybe to give ntpdate a server hostname like
ntp-server and populated the hosts file with one of the ips from
pool.ntp.org. You could then have a periodic script to check and update the
ip in the hosts every day, so it works over a reboot. The ip would
obviously have to have an initial seed value, but you could work this out
progmatically at system configuration time with tools like ansible.
Slawa Olhovchenkov
Jun 7, 2016, 6:44:01 AM6/7/16
to
On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote:
> Like i said you could configure ntpdate as well as ntpd, but give it a
> known good ip. It will only run once at boot, and ntpd will start after so
> that can use the nice pool names.
>
> A slightly better way maybe to give ntpdate a server hostname like
> ntp-server and populated the hosts file with one of the ips from
> pool.ntp.org. You could then have a periodic script to check and update the
> ip in the hosts every day, so it works over a reboot. The ip would
> obviously have to have an initial seed value, but you could work this out
> progmatically at system configuration time with tools like ansible.
What purpose don't do it by standart scripts from base systems?
> Like i said you could configure ntpdate as well as ntpd, but give it a
> known good ip. It will only run once at boot, and ntpd will start after so
> that can use the nice pool names.
>
> A slightly better way maybe to give ntpdate a server hostname like
> ntp-server and populated the hosts file with one of the ips from
> pool.ntp.org. You could then have a periodic script to check and update the
> ip in the hosts every day, so it works over a reboot. The ip would
> obviously have to have an initial seed value, but you could work this out
> progmatically at system configuration time with tools like ansible.
Enforcing DNSSEC must be prevent this strange works on all systems
lack CMOS time.
I am not expert in sh scripting for this automation.
krad
Jun 7, 2016, 7:09:37 AM6/7/16
to
something as simple as this thrown in /etc/periodic/daily/ would probably
do it.
#!/bin/sh
ip=`dig pool.ntp.org +short | head -1'
cp /etc/hosts /etc/hosts.old &&
sed -e "s/.*ntp-server/$ip ntp-server/" /etc/hosts.old > /etc/hosts
with these lines in rc.conf
ntpdate_enable=yes
ntpdate_servers="ntp-server"
do it.
#!/bin/sh
ip=`dig pool.ntp.org +short | head -1'
cp /etc/hosts /etc/hosts.old &&
sed -e "s/.*ntp-server/$ip ntp-server/" /etc/hosts.old > /etc/hosts
with these lines in rc.conf
ntpdate_enable=yes
ntpdate_servers="ntp-server"
krad
Jun 7, 2016, 7:10:40 AM6/7/16
to
whops that should be
ntpdate_hosts not servers
ntpdate_hosts not servers
Ian Lepore
Jun 7, 2016, 9:30:09 AM6/7/16
to
On Tue, 2016-06-07 at 12:10 +0100, krad wrote:
> whops that should be
>
> ntpdate_hosts not servers
>
These suggestions are essentially insane because they're ignoring the
> whops that should be
>
> ntpdate_hosts not servers
>
basic fact that the freebsd installer creates a non-working system. If
unbound requires DNSSEC, and DNSSEC requires good time, and good time
requires hostname resolution, then that circular dependency is a
problem that the freebsd project needs to fix, not something to be
hacked around by each individual sysadmin.
It is a bit disturbing to me that the project members who created this
situation have been silent in the face of *months* of reporting of it
by several different users.
-- Ian
Slawa Olhovchenkov
Jun 7, 2016, 9:33:05 AM6/7/16
to
On Tue, Jun 07, 2016 at 07:29:32AM -0600, Ian Lepore wrote:
> On Tue, 2016-06-07 at 12:10 +0100, krad wrote:
> > whops that should be
> >
> > ntpdate_hosts not servers
> >
>
> These suggestions are essentially insane because they're ignoring the
> basic fact that the freebsd installer creates a non-working system. If
> unbound requires DNSSEC, and DNSSEC requires good time, and good time
> requires hostname resolution, then that circular dependency is a
> problem that the freebsd project needs to fix, not something to be
> hacked around by each individual sysadmin.
Exactly! This is may point!
> On Tue, 2016-06-07 at 12:10 +0100, krad wrote:
> > whops that should be
> >
> > ntpdate_hosts not servers
> >
>
> These suggestions are essentially insane because they're ignoring the
> basic fact that the freebsd installer creates a non-working system. If
> unbound requires DNSSEC, and DNSSEC requires good time, and good time
> requires hostname resolution, then that circular dependency is a
> problem that the freebsd project needs to fix, not something to be
> hacked around by each individual sysadmin.
> It is a bit disturbing to me that the project members who created this
> situation have been silent in the face of *months* of reporting of it
> by several different users.
krad
Jun 7, 2016, 10:00:41 AM6/7/16
to
it's a non solvable problem though as its a deadlock. You have to remove
one of the criteria in order to fix the issue automatically.
one of the criteria in order to fix the issue automatically.
krad
Jun 7, 2016, 10:06:39 AM6/7/16
to
running this at boot time may help as well
unbound-control set_option val-permissive-mode: yes
then after ntpd has started up run this
unbound-control set_option val-permissive-mode: no
Yes work around's, but work around's work by definition.
unbound-control set_option val-permissive-mode: yes
then after ntpd has started up run this
unbound-control set_option val-permissive-mode: no
Yes work around's, but work around's work by definition.
Slawa Olhovchenkov
Jun 7, 2016, 11:04:06 AM6/7/16
to
On Tue, Jun 07, 2016 at 04:56:47PM +0200, Ronald Klop wrote:
> On Tue, 07 Jun 2016 12:43:35 +0200, Slawa Olhovchenkov <s...@zxy.spb.ru>
> wrote:
>
> > On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote:
> >
> >> Like i said you could configure ntpdate as well as ntpd, but give it a
> >> known good ip. It will only run once at boot, and ntpd will start after
> >> so
> >> that can use the nice pool names.
> >>
> >> A slightly better way maybe to give ntpdate a server hostname like
> >> ntp-server and populated the hosts file with one of the ips from
> >> pool.ntp.org. You could then have a periodic script to check and update
> >> the
> >> ip in the hosts every day, so it works over a reboot. The ip would
> >> obviously have to have an initial seed value, but you could work this
> >> out
> >> progmatically at system configuration time with tools like ansible.
> >
> > What purpose don't do it by standart scripts from base systems?
> > Enforcing DNSSEC must be prevent this strange works on all systems
> > lack CMOS time.
>
>
> If the system lacks CMOS time it is hard to fix this problem. It is not
> only about NTP+DNSSEC, but also about the lack of timekeeping. This
> timekeeping problem can be solved by using a local ntp-server. That would
> break the deadlock of NTP+DNSSEC.
ntpd_sync_on_start=yes
unbound start in relaxed mode until time sinced
after ntp synced unbound switcheed to DNSSEC mode.
ntp re-resolved ntp server addrees
What wrong with this?
Some software need modification, yes.
This is price for DNSSEC enforcing.
Many systems don't have CMOS by design.
> On Tue, 07 Jun 2016 12:43:35 +0200, Slawa Olhovchenkov <s...@zxy.spb.ru>
> wrote:
>
> > On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote:
> >
> >> Like i said you could configure ntpdate as well as ntpd, but give it a
> >> known good ip. It will only run once at boot, and ntpd will start after
> >> so
> >> that can use the nice pool names.
> >>
> >> A slightly better way maybe to give ntpdate a server hostname like
> >> ntp-server and populated the hosts file with one of the ips from
> >> pool.ntp.org. You could then have a periodic script to check and update
> >> the
> >> ip in the hosts every day, so it works over a reboot. The ip would
> >> obviously have to have an initial seed value, but you could work this
> >> out
> >> progmatically at system configuration time with tools like ansible.
> >
> > What purpose don't do it by standart scripts from base systems?
> > Enforcing DNSSEC must be prevent this strange works on all systems
> > lack CMOS time.
>
>
> only about NTP+DNSSEC, but also about the lack of timekeeping. This
> timekeeping problem can be solved by using a local ntp-server. That would
> break the deadlock of NTP+DNSSEC.
ntpd_sync_on_start=yes
unbound start in relaxed mode until time sinced
after ntp synced unbound switcheed to DNSSEC mode.
ntp re-resolved ntp server addrees
What wrong with this?
Some software need modification, yes.
This is price for DNSSEC enforcing.
Many systems don't have CMOS by design.
Ronald Klop
Jun 7, 2016, 11:12:59 AM6/7/16
to
On Tue, 07 Jun 2016 12:43:35 +0200, Slawa Olhovchenkov <s...@zxy.spb.ru>
wrote:
> On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote:
>
>> Like i said you could configure ntpdate as well as ntpd, but give it a
>> known good ip. It will only run once at boot, and ntpd will start after
>> so
>> that can use the nice pool names.
>>
>> A slightly better way maybe to give ntpdate a server hostname like
>> ntp-server and populated the hosts file with one of the ips from
>> pool.ntp.org. You could then have a periodic script to check and update
>> the
>> ip in the hosts every day, so it works over a reboot. The ip would
>> obviously have to have an initial seed value, but you could work this
>> out
>> progmatically at system configuration time with tools like ansible.
>
> What purpose don't do it by standart scripts from base systems?
> Enforcing DNSSEC must be prevent this strange works on all systems
> lack CMOS time.
wrote:
> On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote:
>
>> Like i said you could configure ntpdate as well as ntpd, but give it a
>> known good ip. It will only run once at boot, and ntpd will start after
>> so
>> that can use the nice pool names.
>>
>> A slightly better way maybe to give ntpdate a server hostname like
>> ntp-server and populated the hosts file with one of the ips from
>> pool.ntp.org. You could then have a periodic script to check and update
>> the
>> ip in the hosts every day, so it works over a reboot. The ip would
>> obviously have to have an initial seed value, but you could work this
>> out
>> progmatically at system configuration time with tools like ansible.
>
> What purpose don't do it by standart scripts from base systems?
> Enforcing DNSSEC must be prevent this strange works on all systems
> lack CMOS time.
If the system lacks CMOS time it is hard to fix this problem. It is not
only about NTP+DNSSEC, but also about the lack of timekeeping. This
timekeeping problem can be solved by using a local ntp-server. That would
break the deadlock of NTP+DNSSEC.
Ronald.
only about NTP+DNSSEC, but also about the lack of timekeeping. This
timekeeping problem can be solved by using a local ntp-server. That would
break the deadlock of NTP+DNSSEC.
krad
Jun 9, 2016, 3:40:13 AM6/9/16
to
googles will be pretty static, but i would just use them as a one off, ie
with ntpdate
with ntpdate
On 8 June 2016 at 10:48, Slawa Olhovchenkov <s...@zxy.spb.ru> wrote:
> On Wed, Jun 08, 2016 at 02:29:29AM +0200, Dag-Erling Smørgrav wrote:
>
> > Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
> > > IMHO, ntp.conf need to include some numeric IP of public ntp servers.
> >
> > https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse
> > https://en.wikipedia.org/wiki/Poul-Henning_Kamp#Dispute_with_D-Link
>
> What you suggestion?
krad
Jun 9, 2016, 9:29:40 AM6/9/16
to
I doubt that will happen as you are asking to pollute every release
installation for an edge condition when there is numerous work arounds
that would be acceptable to most. eg two lines in rc.conf will fix the
issue.
installation for an edge condition when there is numerous work arounds
that would be acceptable to most. eg two lines in rc.conf will fix the
issue.
On 9 June 2016 at 09:04, Slawa Olhovchenkov <s...@zxy.spb.ru> wrote:
> On Thu, Jun 09, 2016 at 08:39:42AM +0100, krad wrote:
>
> > googles will be pretty static, but i would just use them as a one off, ie
> > with ntpdate
>
> i am talk about freebsd system/project.
Lowell Gilbert
Jun 9, 2016, 9:48:58 AM6/9/16
to
Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
> On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote:
>
>> I doubt that will happen as you are asking to pollute every release
>> installation for an edge condition when there is numerous work arounds
>> that would be acceptable to most. eg two lines in rc.conf will fix the
>> issue.
>
> This manual editing will be required by every install on RPi, for
> example.
No, it won't. Most people will just give the system a valid DNS
configuration, and the clock will not be an issue.
> On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote:
>
>> I doubt that will happen as you are asking to pollute every release
>> installation for an edge condition when there is numerous work arounds
>> that would be acceptable to most. eg two lines in rc.conf will fix the
>> issue.
>
> example.
No, it won't. Most people will just give the system a valid DNS
configuration, and the clock will not be an issue.
Slawa Olhovchenkov
Jun 9, 2016, 10:02:36 AM6/9/16
to
On Thu, Jun 09, 2016 at 09:48:25AM -0400, Lowell Gilbert wrote:
> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
>
> > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote:
> >
> >> I doubt that will happen as you are asking to pollute every release
> >> installation for an edge condition when there is numerous work arounds
> >> that would be acceptable to most. eg two lines in rc.conf will fix the
> >> issue.
> >
> > This manual editing will be required by every install on RPi, for
> > example.
>
> No, it won't. Most people will just give the system a valid DNS
> configuration, and the clock will not be an issue.
What invalid in my DNS configuration?
> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
>
> > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote:
> >
> >> I doubt that will happen as you are asking to pollute every release
> >> installation for an edge condition when there is numerous work arounds
> >> that would be acceptable to most. eg two lines in rc.conf will fix the
> >> issue.
> >
> > This manual editing will be required by every install on RPi, for
> > example.
>
> No, it won't. Most people will just give the system a valid DNS
> configuration, and the clock will not be an issue.
Lowell Gilbert
Jun 9, 2016, 2:31:50 PM6/9/16
to
Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
> On Thu, Jun 09, 2016 at 09:48:25AM -0400, Lowell Gilbert wrote:
>
>> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
>>
>> > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote:
>> >
>> >> I doubt that will happen as you are asking to pollute every release
>> >> installation for an edge condition when there is numerous work arounds
>> >> that would be acceptable to most. eg two lines in rc.conf will fix the
>> >> issue.
>> >
>> > This manual editing will be required by every install on RPi, for
>> > example.
>>
>> No, it won't. Most people will just give the system a valid DNS
>> configuration, and the clock will not be an issue.
>
> What invalid in my DNS configuration?
You said that you configured 127.0.0.1 as your DNS server. You didn't
> On Thu, Jun 09, 2016 at 09:48:25AM -0400, Lowell Gilbert wrote:
>
>> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
>>
>> > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote:
>> >
>> >> I doubt that will happen as you are asking to pollute every release
>> >> installation for an edge condition when there is numerous work arounds
>> >> that would be acceptable to most. eg two lines in rc.conf will fix the
>> >> issue.
>> >
>> > This manual editing will be required by every install on RPi, for
>> > example.
>>
>> No, it won't. Most people will just give the system a valid DNS
>> configuration, and the clock will not be an issue.
>
> What invalid in my DNS configuration?
say how (or rather where) you did that, but if you had used the address
of a working upstream recursive server, I suspect there wouldn't have
been any problem.
Slawa Olhovchenkov
Jun 9, 2016, 2:57:13 PM6/9/16
to
On Thu, Jun 09, 2016 at 02:31:17PM -0400, Lowell Gilbert wrote:
> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
>
> > On Thu, Jun 09, 2016 at 09:48:25AM -0400, Lowell Gilbert wrote:
> >
> >> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
> >>
> >> > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote:
> >> >
> >> >> I doubt that will happen as you are asking to pollute every release
> >> >> installation for an edge condition when there is numerous work arounds
> >> >> that would be acceptable to most. eg two lines in rc.conf will fix the
> >> >> issue.
> >> >
> >> > This manual editing will be required by every install on RPi, for
> >> > example.
> >>
> >> No, it won't. Most people will just give the system a valid DNS
> >> configuration, and the clock will not be an issue.
> >
> > What invalid in my DNS configuration?
>
> You said that you configured 127.0.0.1 as your DNS server. You didn't
> say how (or rather where) you did that, but if you had used the address
> of a working upstream recursive server, I suspect there wouldn't have
> been any problem.
Configuring 127.0.0.1 as DNS server and enabling loacal_unbound cause
> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
>
> > On Thu, Jun 09, 2016 at 09:48:25AM -0400, Lowell Gilbert wrote:
> >
> >> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
> >>
> >> > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote:
> >> >
> >> >> I doubt that will happen as you are asking to pollute every release
> >> >> installation for an edge condition when there is numerous work arounds
> >> >> that would be acceptable to most. eg two lines in rc.conf will fix the
> >> >> issue.
> >> >
> >> > This manual editing will be required by every install on RPi, for
> >> > example.
> >>
> >> No, it won't. Most people will just give the system a valid DNS
> >> configuration, and the clock will not be an issue.
> >
> > What invalid in my DNS configuration?
>
> You said that you configured 127.0.0.1 as your DNS server. You didn't
> say how (or rather where) you did that, but if you had used the address
> of a working upstream recursive server, I suspect there wouldn't have
> been any problem.
unbound acts as recursive resolver. This is conventional setup.
("No forwarders found in resolv.conf, unbound will recurse."
-- from /usr/sbin/local-unbound-setup)
Using upstream recursive server with local unbound will cause same
problem, IMHO, because unbound will be enfocing DNSSEC by the same
way and rejecting all answers from upstream.
krad
Jun 10, 2016, 7:53:37 AM6/10/16
to
Pretty much every box requires some form of configuration so its a moot
point. IF you want automated deployment you will almost certainly be
building a pxe or prepreared usb/cd image of some sort. In which case you
include these settings in the deployed rc.conf.
point. IF you want automated deployment you will almost certainly be
building a pxe or prepreared usb/cd image of some sort. In which case you
include these settings in the deployed rc.conf.
On 9 June 2016 at 14:37, Slawa Olhovchenkov <s...@zxy.spb.ru> wrote:
> On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote:
>
> > I doubt that will happen as you are asking to pollute every release
> > installation for an edge condition when there is numerous work arounds
> > that would be acceptable to most. eg two lines in rc.conf will fix the
> > issue.
>
> This manual editing will be required by every install on RPi, for
> example.
>
> Also, this issuse hard to dignostics by average user.
Lowell Gilbert
Jun 10, 2016, 3:10:48 PM6/10/16
to
Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
> On Thu, Jun 09, 2016 at 02:31:17PM -0400, Lowell Gilbert wrote:
>
>> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
>>
>> > On Thu, Jun 09, 2016 at 09:48:25AM -0400, Lowell Gilbert wrote:
>> >
>> >> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
>> >>
>> >> > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote:
>> >> >
>> >> >> I doubt that will happen as you are asking to pollute every release
>> >> >> installation for an edge condition when there is numerous work arounds
>> >> >> that would be acceptable to most. eg two lines in rc.conf will fix the
>> >> >> issue.
>> >> >
>> >> > This manual editing will be required by every install on RPi, for
>> >> > example.
>> >>
>> >> No, it won't. Most people will just give the system a valid DNS
>> >> configuration, and the clock will not be an issue.
>> >
>> > What invalid in my DNS configuration?
>>
>> You said that you configured 127.0.0.1 as your DNS server. You didn't
>> say how (or rather where) you did that, but if you had used the address
>> of a working upstream recursive server, I suspect there wouldn't have
>> been any problem.
>
> Configuring 127.0.0.1 as DNS server and enabling loacal_unbound cause
> unbound acts as recursive resolver. This is conventional setup.
> ("No forwarders found in resolv.conf, unbound will recurse."
> -- from /usr/sbin/local-unbound-setup)
I'll check on it if I get a chance.
> On Thu, Jun 09, 2016 at 02:31:17PM -0400, Lowell Gilbert wrote:
>
>> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
>>
>> > On Thu, Jun 09, 2016 at 09:48:25AM -0400, Lowell Gilbert wrote:
>> >
>> >> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
>> >>
>> >> > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote:
>> >> >
>> >> >> I doubt that will happen as you are asking to pollute every release
>> >> >> installation for an edge condition when there is numerous work arounds
>> >> >> that would be acceptable to most. eg two lines in rc.conf will fix the
>> >> >> issue.
>> >> >
>> >> > This manual editing will be required by every install on RPi, for
>> >> > example.
>> >>
>> >> No, it won't. Most people will just give the system a valid DNS
>> >> configuration, and the clock will not be an issue.
>> >
>> > What invalid in my DNS configuration?
>>
>> You said that you configured 127.0.0.1 as your DNS server. You didn't
>> say how (or rather where) you did that, but if you had used the address
>> of a working upstream recursive server, I suspect there wouldn't have
>> been any problem.
>
> Configuring 127.0.0.1 as DNS server and enabling loacal_unbound cause
> unbound acts as recursive resolver. This is conventional setup.
> ("No forwarders found in resolv.conf, unbound will recurse."
> -- from /usr/sbin/local-unbound-setup)
> Using upstream recursive server with local unbound will cause same
> problem, IMHO, because unbound will be enfocing DNSSEC by the same
> way and rejecting all answers from upstream.
would be having the problem.
Brandon Allbery
Jun 10, 2016, 3:17:57 PM6/10/16
to
On Fri, Jun 10, 2016 at 3:10 PM, Lowell Gilbert <
freebsd-st...@be-well.ilk.org> wrote:
> Well, we know that is not the case, because in that case nearly everyone
> would be having the problem.
>
That would be the point... maybe not "nearly everyone" although it is hard
freebsd-st...@be-well.ilk.org> wrote:
> Well, we know that is not the case, because in that case nearly everyone
> would be having the problem.
>
to be certain, but I ran headlong into this when I tried to install --- and
thought I'd done something wrong until this thread, where I learned that it
doesn't work -out of the box-.
--
brandon s allbery kf8nh sine nomine associates
allb...@gmail.com ball...@sinenomine.net
unix, openafs, kerberos, infrastructure, xmonad http://sinenomine.net
Slawa Olhovchenkov
Jun 10, 2016, 5:45:01 PM6/10/16
to
after CMOS reset)
Slawa Olhovchenkov
Jun 14, 2016, 11:19:32 AM6/14/16
to
On Tue, Jun 14, 2016 at 07:55:34AM -0700, Chris H wrote:
> I'm playing catchup on my INBOX, so apologies in advance, if this has
> already been satisfactorily answered...
Main question not about how I am can resolve my current issuse.
Main question about deadloop after setup.
> On Mon, 6 Jun 2016 16:50:18 +0300 Slawa Olhovchenkov <s...@zxy.spb.ru> wrote
> Find a reliable time server in your region, and once found add it
> *early* in your rc.conf(5). Well, ahead of your unbound stanza. ie;
> hostname="..."
> ifconfig_re0="inet ... netmask ..."
> defaultrouter="..."
> ntpdate_enable="YES"
> ntpdate_hosts="a reliable regional time server"
Already pointed about draw back using IP address of NTP servers.
>
> unbound_enable="YES"
> ..
>
> ALSO. Since you're upstream will, in all likelihood have informed
> you of a preferred set of 2 name servers. Place one of them in your
> hosts(5) file. This will help ensure that ntpdate(8) can reliably
ok. i.e. cut-off unbound from FreeBSD tree. We don't need unbound and
will always use name servers from upstream, yes?
> discover your regional time server.
>
> That should get you where you want to go. :-)
I am want working setup after FreeBSD installer.
I think best solution is disable enforciment in case of STA_UNSYNC.
% ntptime
ntp_gettime() returns code 0 (OK)
time db0a9e2b.4bd3a1d4 Tue, Jun 14 2016 18:15:55.296, (.296198421),
maximum error 569983 us, estimated error 2912 us, TAI offset 0
ntp_adjtime() returns code 0 (OK)
modes 0x0 (),
offset 3993.151 us, frequency 0.240 ppm, interval 1 s,
maximum error 569983 us, estimated error 2912 us,
status 0x2001 (PLL,NANO),
^^^^^^^^^^^^^^^^^^^^^^^^^^ -- OK, may be enforciment.
time constant 10, precision 0.001 us, tolerance 496 ppm,
Not only for unbound, for SSL too. And may be in the other places.
> --Chris
> I'm playing catchup on my INBOX, so apologies in advance, if this has
> already been satisfactorily answered...
Main question not about how I am can resolve my current issuse.
Main question about deadloop after setup.
> On Mon, 6 Jun 2016 16:50:18 +0300 Slawa Olhovchenkov <s...@zxy.spb.ru> wrote
>
> > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote:
> >
> > > Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
> > >
> > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote:
> > > >
> > > >> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
> > > >>
> > > >> > Default install with local_unbound and ntpd can't be functional with
> > > >> > incorrect date/time in BIOS:
> > > >> >
> > > >> > Unbound requred correct time for DNSSEC check and refuseing queries
> > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime
> > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
> > > >> >
> > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
> > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
> > > >> > resolve (see above, about DNSKEY).
> > > >>
> > > >> I can't see how this would happen. DNSSEC doesn't seem to be required in
> > > >> a regular install as far as I can see. Certainly I don't have any
> > > >
> > > > I don't know reasson for enforcing DNSSEC in regular install.
> > > > I am just select 'local_unbound' at setup time and enter '127.0.0.1' as
> > > > nameserver address.
> > >
> > > That's not enough to configure unbound as a fully recursive DNS
> > > server.
> >
> > What I am missing?
> > Need to fix unbound setup scripts? bsdinstall scripts?
> > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and
> > configured unbound as fully recursive DNS server.
> May I suggest ntpdate(8)?
> > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote:
> >
> > > Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
> > >
> > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote:
> > > >
> > > >> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
> > > >>
> > > >> > Default install with local_unbound and ntpd can't be functional with
> > > >> > incorrect date/time in BIOS:
> > > >> >
> > > >> > Unbound requred correct time for DNSSEC check and refuseing queries
> > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime
> > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
> > > >> >
> > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
> > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
> > > >> > resolve (see above, about DNSKEY).
> > > >>
> > > >> I can't see how this would happen. DNSSEC doesn't seem to be required in
> > > >> a regular install as far as I can see. Certainly I don't have any
> > > >
> > > > I don't know reasson for enforcing DNSSEC in regular install.
> > > > I am just select 'local_unbound' at setup time and enter '127.0.0.1' as
> > > > nameserver address.
> > >
> > > That's not enough to configure unbound as a fully recursive DNS
> > > server.
> >
> > What I am missing?
> > Need to fix unbound setup scripts? bsdinstall scripts?
> > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and
> > configured unbound as fully recursive DNS server.
> Find a reliable time server in your region, and once found add it
> *early* in your rc.conf(5). Well, ahead of your unbound stanza. ie;
> hostname="..."
> ifconfig_re0="inet ... netmask ..."
> defaultrouter="..."
> ntpdate_enable="YES"
> ntpdate_hosts="a reliable regional time server"
Already pointed about draw back using IP address of NTP servers.
>
> unbound_enable="YES"
> ..
>
> ALSO. Since you're upstream will, in all likelihood have informed
> you of a preferred set of 2 name servers. Place one of them in your
> hosts(5) file. This will help ensure that ntpdate(8) can reliably
ok. i.e. cut-off unbound from FreeBSD tree. We don't need unbound and
will always use name servers from upstream, yes?
> discover your regional time server.
>
> That should get you where you want to go. :-)
I am want working setup after FreeBSD installer.
I think best solution is disable enforciment in case of STA_UNSYNC.
% ntptime
ntp_gettime() returns code 0 (OK)
time db0a9e2b.4bd3a1d4 Tue, Jun 14 2016 18:15:55.296, (.296198421),
maximum error 569983 us, estimated error 2912 us, TAI offset 0
ntp_adjtime() returns code 0 (OK)
modes 0x0 (),
offset 3993.151 us, frequency 0.240 ppm, interval 1 s,
maximum error 569983 us, estimated error 2912 us,
status 0x2001 (PLL,NANO),
^^^^^^^^^^^^^^^^^^^^^^^^^^ -- OK, may be enforciment.
time constant 10, precision 0.001 us, tolerance 496 ppm,
Not only for unbound, for SSL too. And may be in the other places.
> --Chris
Chris H
Jun 14, 2016, 11:22:43 AM6/14/16
to
I'm playing catchup on my INBOX, so apologies in advance, if this has
already been satisfactorily answered...
already been satisfactorily answered...
> On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote:
>
> > Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
> >
> > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote:
> > >
> > >> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
> > >>
> > >> > Default install with local_unbound and ntpd can't be functional with
> > >> > incorrect date/time in BIOS:
> > >> >
> > >> > Unbound requred correct time for DNSSEC check and refuseing queries
> > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime
> > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
> > >> >
> > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
> > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
> > >> > resolve (see above, about DNSKEY).
> > >>
> > >> I can't see how this would happen. DNSSEC doesn't seem to be required in
> > >> a regular install as far as I can see. Certainly I don't have any
> > >
> > > I don't know reasson for enforcing DNSSEC in regular install.
> > > I am just select 'local_unbound' at setup time and enter '127.0.0.1' as
> > > nameserver address.
> >
> > That's not enough to configure unbound as a fully recursive DNS
> > server.
>
> What I am missing?
> Need to fix unbound setup scripts? bsdinstall scripts?
> As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and
> configured unbound as fully recursive DNS server.
>
> > Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
> >
> > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote:
> > >
> > >> Slawa Olhovchenkov <s...@zxy.spb.ru> writes:
> > >>
> > >> > Default install with local_unbound and ntpd can't be functional with
> > >> > incorrect date/time in BIOS:
> > >> >
> > >> > Unbound requred correct time for DNSSEC check and refuseing queries
> > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime
> > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
> > >> >
> > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
> > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
> > >> > resolve (see above, about DNSKEY).
> > >>
> > >> I can't see how this would happen. DNSSEC doesn't seem to be required in
> > >> a regular install as far as I can see. Certainly I don't have any
> > >
> > > I don't know reasson for enforcing DNSSEC in regular install.
> > > I am just select 'local_unbound' at setup time and enter '127.0.0.1' as
> > > nameserver address.
> >
> > That's not enough to configure unbound as a fully recursive DNS
> > server.
>
> What I am missing?
> Need to fix unbound setup scripts? bsdinstall scripts?
> As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and
> configured unbound as fully recursive DNS server.
May I suggest ntpdate(8)?
Find a reliable time server in your region, and once found add it
*early* in your rc.conf(5). Well, ahead of your unbound stanza. ie;
hostname="..."
ifconfig_re0="inet ... netmask ..."
defaultrouter="..."
ntpdate_enable="YES"
ntpdate_hosts="a reliable regional time server"
..
Find a reliable time server in your region, and once found add it
*early* in your rc.conf(5). Well, ahead of your unbound stanza. ie;
hostname="..."
ifconfig_re0="inet ... netmask ..."
defaultrouter="..."
ntpdate_enable="YES"
ntpdate_hosts="a reliable regional time server"
unbound_enable="YES"
..
ALSO. Since you're upstream will, in all likelihood have informed
you of a preferred set of 2 name servers. Place one of them in your
hosts(5) file. This will help ensure that ntpdate(8) can reliably
discover your regional time server.
That should get you where you want to go. :-)
--Chris
That should get you where you want to go. :-)
David Wolfskill
Jun 14, 2016, 12:10:56 PM6/14/16
to
On Tue, Jun 14, 2016 at 07:55:34AM -0700, Chris H wrote:
> I'm playing catchup on my INBOX, so apologies in advance, if this has
> already been satisfactorily answered...
> On Mon, 6 Jun 2016 16:50:18 +0300 Slawa Olhovchenkov <s...@zxy.spb.ru> wrote
> ...
> already been satisfactorily answered...
> On Mon, 6 Jun 2016 16:50:18 +0300 Slawa Olhovchenkov <s...@zxy.spb.ru> wrote
> > What I am missing?
> > Need to fix unbound setup scripts? bsdinstall scripts?
> > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and
> > configured unbound as fully recursive DNS server.
> May I suggest ntpdate(8)?
> Find a reliable time server in your region, and once found add it
> *early* in your rc.conf(5). Well, ahead of your unbound stanza. ie;
>
> hostname="..."
> ifconfig_re0="inet ... netmask ..."
> defaultrouter="..."
> ....
> > Need to fix unbound setup scripts? bsdinstall scripts?
> > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and
> > configured unbound as fully recursive DNS server.
> May I suggest ntpdate(8)?
> Find a reliable time server in your region, and once found add it
> *early* in your rc.conf(5). Well, ahead of your unbound stanza. ie;
>
> hostname="..."
> ifconfig_re0="inet ... netmask ..."
> defaultrouter="..."
Errr... The sequence of assignments in /etc/rc.conf* has no bearing on
the sequence in which /etc/rc starts things.
Please refer to rcorder(8) for further information on this.
Peace,
david
--
David H. Wolfskill da...@catwhisker.org
Those who would murder in the name of God or prophet are blasphemous cowards.
See http://www.catwhisker.org/~david/publickey.gpg for my public key.
0 new messages