On 2/4/19 12:07 PM, Hal Murray via devel wrote: > Another complication with getting started after a building/site wide power > loss is that getting time needs DNS and the local caching DNS server may be > waiting for valid time.
The resolver really shouldn't be waiting for network time, as doing so will create these chicken-and-egg problems. The only thing in DNS that depends on time is validating DNSSEC expirations. If you don't have a RTC, one possible answer is to turn that off--either all DNSSEC validation or just ignoring expirations. BIND, for example, has options for both. If your system doesn't have an RTC, you may have to take various extra steps, depending on your configuration. I don't think we need to solve all of these problems for people. Even if you want to cover the common case of a Raspberry Pi running Raspbian, I don't think it's necessary to cover every hypothetical case where someone has turned on every possible security feature and has no RTC. And while you might be able to maintain some documentation on the topic, you _can't_ solve some of these problems in ntpd without horrible abstraction violations. Keeping an application-level DNS cache, as you proposed, is something I would argue is a horrible abstraction violation. As an admin, I want to be able to reason about DNS independently from reasoning about ntpd. If ntpd is doing non-standard things behind my back, that is some combination of annoying and scary. -- Richard _______________________________________________ devel mailing list [email protected] http://lists.ntpsec.org/mailman/listinfo/devel
