Re: unbound and ntp issuse

[David Wolfskill]

On Tue, Jun 14, 2016 at 07:55:34AM -0700, Chris H wrote:
> I'm playing catchup on my INBOX, so apologies in advance, if this has
> already been satisfactorily answered...
> On Mon, 6 Jun 2016 16:50:18 +0300 Slawa Olhovchenkov  wrote
> ...
> > What I am missing?
> > Need to fix unbound setup scripts? bsdinstall scripts?
> > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and
> > configured unbound as fully recursive DNS server.
> May I suggest ntpdate(8)?
> Find a reliable time server in your region, and once found add it
> *early* in your rc.conf(5). Well, ahead of your unbound stanza. ie;
> 
> hostname="..."
> ifconfig_re0="inet ... netmask ..."
> defaultrouter="..."
> 

Errr...  The sequence of assignments in /etc/rc.conf* has no bearing on
the sequence in which /etc/rc starts things.

Please refer to rcorder(8) for further information on this.

Peace,
david
-- 
David H. Wolfskill  da...@catwhisker.org
Those who would murder in the name of God or prophet are blasphemous cowards.

See http://www.catwhisker.org/~david/publickey.gpg for my public key.


signature.asc
Description: PGP signature

Re: unbound and ntp issuse

[Chris H]

I'm playing catchup on my INBOX, so apologies in advance, if this has
already been satisfactorily answered...
On Mon, 6 Jun 2016 16:50:18 +0300 Slawa Olhovchenkov  wrote

> On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote:
> 
> > Slawa Olhovchenkov  writes:
> > 
> > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote:
> > >
> > >> Slawa Olhovchenkov  writes:
> > >> 
> > >> > Default install with local_unbound and ntpd can't be functional with
> > >> > incorrect date/time in BIOS:
> > >> >
> > >> > Unbound requred correct time for DNSSEC check and refuseing queries
> > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime
> > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
> > >> >
> > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
> > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
> > >> > resolve (see above, about DNSKEY).
> > >> 
> > >> I can't see how this would happen. DNSSEC doesn't seem to be required in
> > >> a regular install as far as I can see. Certainly I don't have any
> > >
> > > I don't know reasson for enforcing DNSSEC in regular install.
> > > I am just select 'local_unbound' at setup time and enter '127.0.0.1' as
> > > nameserver address.
> > 
> > That's not enough to configure unbound as a fully recursive DNS
> > server.
> 
> What I am missing?
> Need to fix unbound setup scripts? bsdinstall scripts?
> As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and
> configured unbound as fully recursive DNS server.
May I suggest ntpdate(8)?
Find a reliable time server in your region, and once found add it
*early* in your rc.conf(5). Well, ahead of your unbound stanza. ie;

hostname="..."
ifconfig_re0="inet ... netmask ..."
defaultrouter="..."
ntpdate_enable="YES"
ntpdate_hosts="a reliable regional time server"

..

unbound_enable="YES"
..

ALSO. Since you're upstream will, in all likelihood have informed
you of a preferred set of 2 name servers. Place one of them in your
hosts(5) file. This will help ensure that ntpdate(8) can reliably
discover your regional time server.

That should get you where you want to go. :-)

--Chris
> 
> > If your system gets its address through DHCP, it is probably
> > getting DNS server addresses as well, and would work fine *without* your
> > configuring any of the DNS state.
> 
> I am have static address and don't getting DNS server address.
> 
> > >> problem on any of my systems, and I've never configured an anchor on the
> > >> internal systems.
> > >> 
> > >> > IMHO, ntp.conf need to include some numeric IP of public ntp servers.
> > >> 
> > >> Ouch; that's a terrible idea, for several different reasons.
> > >
> > > What else?
> > 
> > All the normal reasons that hard-coding IP addresses is a bad idea; they
> > can change, you're encouraging a lot of people to use the same ones, etc.
> 
> And how to resolve this issuse:
> 
> - default install with unbound as recursive DNS server (by default
>   enforcing DNSSEC)
> - ntp time synchronisation
> - stale CMOS time (2008 year)


___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[Slawa Olhovchenkov]

On Tue, Jun 14, 2016 at 07:55:34AM -0700, Chris H wrote:

> I'm playing catchup on my INBOX, so apologies in advance, if this has
> already been satisfactorily answered...

Main question not about how I am can resolve my current issuse.
Main question about deadloop after setup.

> On Mon, 6 Jun 2016 16:50:18 +0300 Slawa Olhovchenkov  wrote
> 
> > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote:
> > 
> > > Slawa Olhovchenkov  writes:
> > > 
> > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote:
> > > >
> > > >> Slawa Olhovchenkov  writes:
> > > >> 
> > > >> > Default install with local_unbound and ntpd can't be functional with
> > > >> > incorrect date/time in BIOS:
> > > >> >
> > > >> > Unbound requred correct time for DNSSEC check and refuseing queries
> > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime
> > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
> > > >> >
> > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
> > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
> > > >> > resolve (see above, about DNSKEY).
> > > >> 
> > > >> I can't see how this would happen. DNSSEC doesn't seem to be required 
> > > >> in
> > > >> a regular install as far as I can see. Certainly I don't have any
> > > >
> > > > I don't know reasson for enforcing DNSSEC in regular install.
> > > > I am just select 'local_unbound' at setup time and enter '127.0.0.1' as
> > > > nameserver address.
> > > 
> > > That's not enough to configure unbound as a fully recursive DNS
> > > server.
> > 
> > What I am missing?
> > Need to fix unbound setup scripts? bsdinstall scripts?
> > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and
> > configured unbound as fully recursive DNS server.
> May I suggest ntpdate(8)?
> Find a reliable time server in your region, and once found add it
> *early* in your rc.conf(5). Well, ahead of your unbound stanza. ie;



> hostname="..."
> ifconfig_re0="inet ... netmask ..."
> defaultrouter="..."
> ntpdate_enable="YES"
> ntpdate_hosts="a reliable regional time server"

Already pointed about draw back using IP address of NTP servers.

> 
> unbound_enable="YES"
> ..
> 
> ALSO. Since you're upstream will, in all likelihood have informed
> you of a preferred set of 2 name servers. Place one of them in your
> hosts(5) file. This will help ensure that ntpdate(8) can reliably

ok. i.e. cut-off unbound from FreeBSD tree. We don't need unbound and
will always use name servers from upstream, yes?

> discover your regional time server.
> 
> That should get you where you want to go. :-)

I am want working setup after FreeBSD installer.

I think best solution is disable enforciment in case of STA_UNSYNC.

% ntptime
ntp_gettime() returns code 0 (OK)
  time db0a9e2b.4bd3a1d4  Tue, Jun 14 2016 18:15:55.296, (.296198421),
  maximum error 569983 us, estimated error 2912 us, TAI offset 0
ntp_adjtime() returns code 0 (OK)
  modes 0x0 (),
  offset 3993.151 us, frequency 0.240 ppm, interval 1 s,
  maximum error 569983 us, estimated error 2912 us,
  status 0x2001 (PLL,NANO),
^^  -- OK, may be enforciment.
  time constant 10, precision 0.001 us, tolerance 496 ppm,
  

Not only for unbound, for SSL too. And may be in the other places.

> --Chris
> > 
> > > If your system gets its address through DHCP, it is probably
> > > getting DNS server addresses as well, and would work fine *without* your
> > > configuring any of the DNS state.
> > 
> > I am have static address and don't getting DNS server address.
> > 
> > > >> problem on any of my systems, and I've never configured an anchor on 
> > > >> the
> > > >> internal systems.
> > > >> 
> > > >> > IMHO, ntp.conf need to include some numeric IP of public ntp servers.
> > > >> 
> > > >> Ouch; that's a terrible idea, for several different reasons.
> > > >
> > > > What else?
> > > 
> > > All the normal reasons that hard-coding IP addresses is a bad idea; they
> > > can change, you're encouraging a lot of people to use the same ones, etc.
> > 
> > And how to resolve this issuse:
> > 
> > - default install with unbound as recursive DNS server (by default
> >   enforcing DNSSEC)
> > - ntp time synchronisation
> > - stale CMOS time (2008 year)
> 
> 
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[Slawa Olhovchenkov]

On Fri, Jun 10, 2016 at 03:10:10PM -0400, Lowell Gilbert wrote:

> Slawa Olhovchenkov  writes:
> 
> > On Thu, Jun 09, 2016 at 02:31:17PM -0400, Lowell Gilbert wrote:
> >
> >> Slawa Olhovchenkov  writes:
> >> 
> >> > On Thu, Jun 09, 2016 at 09:48:25AM -0400, Lowell Gilbert wrote:
> >> >
> >> >> Slawa Olhovchenkov  writes:
> >> >> 
> >> >> > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote:
> >> >> >
> >> >> >> I doubt that will happen as you are asking to pollute every release
> >> >> >> installation for an edge condition when  there is numerous work 
> >> >> >> arounds
> >> >> >> that would be acceptable to most.   eg two lines in rc.conf will fix 
> >> >> >> the
> >> >> >> issue.
> >> >> >
> >> >> > This manual editing will be required by every install on RPi, for
> >> >> > example.
> >> >> 
> >> >> No, it won't. Most people will just give the system a valid DNS
> >> >> configuration, and the clock will not be an issue.
> >> >
> >> > What invalid in my DNS configuration?
> >> 
> >> You said that you configured 127.0.0.1 as your DNS server. You didn't
> >> say how (or rather where) you did that, but if you had used the address
> >> of a working upstream recursive server, I suspect there wouldn't have
> >> been any problem.
> >
> > Configuring 127.0.0.1 as DNS server and enabling loacal_unbound cause
> > unbound acts as recursive resolver. This is conventional setup.
> > ("No forwarders found in resolv.conf, unbound will recurse."
> > -- from /usr/sbin/local-unbound-setup)
> 
> I'll check on it if I get a chance.
> 
> > Using upstream recursive server with local unbound will cause same
> > problem, IMHO, because unbound will be enfocing DNSSEC by the same
> > way and rejecting all answers from upstream.
> 
> Well, we know that is not the case, because in that case nearly everyone
> would be having the problem.

Only in case of very incorrect time at startup (2008 year in may case,
after CMOS reset)
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[Brandon Allbery]

On Fri, Jun 10, 2016 at 3:10 PM, Lowell Gilbert <
freebsd-stable-lo...@be-well.ilk.org> wrote:

> Well, we know that is not the case, because in that case nearly everyone
> would be having the problem.
>

That would be the point... maybe not "nearly everyone" although it is hard
to be certain, but I ran headlong into this when I tried to install --- and
thought I'd done something wrong until this thread, where I learned that it
doesn't work -out of the box-.

-- 
brandon s allbery kf8nh   sine nomine associates
allber...@gmail.com  ballb...@sinenomine.net
unix, openafs, kerberos, infrastructure, xmonadhttp://sinenomine.net
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[Lowell Gilbert]

Slawa Olhovchenkov  writes:

> On Thu, Jun 09, 2016 at 02:31:17PM -0400, Lowell Gilbert wrote:
>
>> Slawa Olhovchenkov  writes:
>> 
>> > On Thu, Jun 09, 2016 at 09:48:25AM -0400, Lowell Gilbert wrote:
>> >
>> >> Slawa Olhovchenkov  writes:
>> >> 
>> >> > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote:
>> >> >
>> >> >> I doubt that will happen as you are asking to pollute every release
>> >> >> installation for an edge condition when  there is numerous work arounds
>> >> >> that would be acceptable to most.   eg two lines in rc.conf will fix 
>> >> >> the
>> >> >> issue.
>> >> >
>> >> > This manual editing will be required by every install on RPi, for
>> >> > example.
>> >> 
>> >> No, it won't. Most people will just give the system a valid DNS
>> >> configuration, and the clock will not be an issue.
>> >
>> > What invalid in my DNS configuration?
>> 
>> You said that you configured 127.0.0.1 as your DNS server. You didn't
>> say how (or rather where) you did that, but if you had used the address
>> of a working upstream recursive server, I suspect there wouldn't have
>> been any problem.
>
> Configuring 127.0.0.1 as DNS server and enabling loacal_unbound cause
> unbound acts as recursive resolver. This is conventional setup.
> ("No forwarders found in resolv.conf, unbound will recurse."
> -- from /usr/sbin/local-unbound-setup)

I'll check on it if I get a chance.

> Using upstream recursive server with local unbound will cause same
> problem, IMHO, because unbound will be enfocing DNSSEC by the same
> way and rejecting all answers from upstream.

Well, we know that is not the case, because in that case nearly everyone
would be having the problem.
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[Slawa Olhovchenkov]

On Fri, Jun 10, 2016 at 12:53:04PM +0100, krad wrote:

> Pretty much every box requires some form of configuration so its a moot
> point. IF you want automated deployment you will almost certainly be
> building a pxe or prepreared usb/cd image of some sort. In which case you
> include these settings in the deployed rc.conf.

This sound like "installer and default config not need, use ansible
for all"

> On 9 June 2016 at 14:37, Slawa Olhovchenkov  wrote:
> 
> > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote:
> >
> > > I doubt that will happen as you are asking to pollute every release
> > > installation for an edge condition when  there is numerous work arounds
> > > that would be acceptable to most.   eg two lines in rc.conf will fix the
> > > issue.
> >
> > This manual editing will be required by every install on RPi, for
> > example.
> >
> > Also, this issuse hard to dignostics by average user.
> >
> > > On 9 June 2016 at 09:04, Slawa Olhovchenkov  wrote:
> > >
> > > > On Thu, Jun 09, 2016 at 08:39:42AM +0100, krad wrote:
> > > >
> > > > > googles will be pretty static, but i would just use them as a one
> > off, ie
> > > > > with ntpdate
> > > >
> > > > i am talk about freebsd system/project.
> > > >
> > > > >
> > > > > On 8 June 2016 at 10:48, Slawa Olhovchenkov  wrote:
> > > > >
> > > > > > On Wed, Jun 08, 2016 at 02:29:29AM +0200, Dag-Erling Smørgrav
> > wrote:
> > > > > >
> > > > > > > Slawa Olhovchenkov  writes:
> > > > > > > > IMHO, ntp.conf need to include some numeric IP of public ntp
> > > > servers.
> > > > > > >
> > > > > > > https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse
> > > > > > >
> > https://en.wikipedia.org/wiki/Poul-Henning_Kamp#Dispute_with_D-Link
> > > > > >
> > > > > > What you suggestion?
> > > > > >
> > > > > > ___
> > > > > > freebsd-stable@freebsd.org mailing list
> > > > > > https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > > > > > To unsubscribe, send any mail to "
> > > > freebsd-stable-unsubscr...@freebsd.org"
> > > > > >
> > > >
> >
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[krad]

Pretty much every box requires some form of configuration so its a moot
point. IF you want automated deployment you will almost certainly be
building a pxe or prepreared usb/cd image of some sort. In which case you
include these settings in the deployed rc.conf.

On 9 June 2016 at 14:37, Slawa Olhovchenkov  wrote:

> On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote:
>
> > I doubt that will happen as you are asking to pollute every release
> > installation for an edge condition when  there is numerous work arounds
> > that would be acceptable to most.   eg two lines in rc.conf will fix the
> > issue.
>
> This manual editing will be required by every install on RPi, for
> example.
>
> Also, this issuse hard to dignostics by average user.
>
> > On 9 June 2016 at 09:04, Slawa Olhovchenkov  wrote:
> >
> > > On Thu, Jun 09, 2016 at 08:39:42AM +0100, krad wrote:
> > >
> > > > googles will be pretty static, but i would just use them as a one
> off, ie
> > > > with ntpdate
> > >
> > > i am talk about freebsd system/project.
> > >
> > > >
> > > > On 8 June 2016 at 10:48, Slawa Olhovchenkov  wrote:
> > > >
> > > > > On Wed, Jun 08, 2016 at 02:29:29AM +0200, Dag-Erling Smørgrav
> wrote:
> > > > >
> > > > > > Slawa Olhovchenkov  writes:
> > > > > > > IMHO, ntp.conf need to include some numeric IP of public ntp
> > > servers.
> > > > > >
> > > > > > https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse
> > > > > >
> https://en.wikipedia.org/wiki/Poul-Henning_Kamp#Dispute_with_D-Link
> > > > >
> > > > > What you suggestion?
> > > > >
> > > > > ___
> > > > > freebsd-stable@freebsd.org mailing list
> > > > > https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > > > > To unsubscribe, send any mail to "
> > > freebsd-stable-unsubscr...@freebsd.org"
> > > > >
> > >
>
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[Slawa Olhovchenkov]

On Thu, Jun 09, 2016 at 02:31:17PM -0400, Lowell Gilbert wrote:

> Slawa Olhovchenkov  writes:
> 
> > On Thu, Jun 09, 2016 at 09:48:25AM -0400, Lowell Gilbert wrote:
> >
> >> Slawa Olhovchenkov  writes:
> >> 
> >> > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote:
> >> >
> >> >> I doubt that will happen as you are asking to pollute every release
> >> >> installation for an edge condition when  there is numerous work arounds
> >> >> that would be acceptable to most.   eg two lines in rc.conf will fix the
> >> >> issue.
> >> >
> >> > This manual editing will be required by every install on RPi, for
> >> > example.
> >> 
> >> No, it won't. Most people will just give the system a valid DNS
> >> configuration, and the clock will not be an issue.
> >
> > What invalid in my DNS configuration?
> 
> You said that you configured 127.0.0.1 as your DNS server. You didn't
> say how (or rather where) you did that, but if you had used the address
> of a working upstream recursive server, I suspect there wouldn't have
> been any problem.

Configuring 127.0.0.1 as DNS server and enabling loacal_unbound cause
unbound acts as recursive resolver. This is conventional setup.
("No forwarders found in resolv.conf, unbound will recurse."
-- from /usr/sbin/local-unbound-setup)

Using upstream recursive server with local unbound will cause same
problem, IMHO, because unbound will be enfocing DNSSEC by the same
way and rejecting all answers from upstream.
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[Lowell Gilbert]

Slawa Olhovchenkov  writes:

> On Thu, Jun 09, 2016 at 09:48:25AM -0400, Lowell Gilbert wrote:
>
>> Slawa Olhovchenkov  writes:
>> 
>> > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote:
>> >
>> >> I doubt that will happen as you are asking to pollute every release
>> >> installation for an edge condition when  there is numerous work arounds
>> >> that would be acceptable to most.   eg two lines in rc.conf will fix the
>> >> issue.
>> >
>> > This manual editing will be required by every install on RPi, for
>> > example.
>> 
>> No, it won't. Most people will just give the system a valid DNS
>> configuration, and the clock will not be an issue.
>
> What invalid in my DNS configuration?

You said that you configured 127.0.0.1 as your DNS server. You didn't
say how (or rather where) you did that, but if you had used the address
of a working upstream recursive server, I suspect there wouldn't have
been any problem.
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[Slawa Olhovchenkov]

On Thu, Jun 09, 2016 at 09:48:25AM -0400, Lowell Gilbert wrote:

> Slawa Olhovchenkov  writes:
> 
> > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote:
> >
> >> I doubt that will happen as you are asking to pollute every release
> >> installation for an edge condition when  there is numerous work arounds
> >> that would be acceptable to most.   eg two lines in rc.conf will fix the
> >> issue.
> >
> > This manual editing will be required by every install on RPi, for
> > example.
> 
> No, it won't. Most people will just give the system a valid DNS
> configuration, and the clock will not be an issue.

What invalid in my DNS configuration?
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[Lowell Gilbert]

Slawa Olhovchenkov  writes:

> On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote:
>
>> I doubt that will happen as you are asking to pollute every release
>> installation for an edge condition when  there is numerous work arounds
>> that would be acceptable to most.   eg two lines in rc.conf will fix the
>> issue.
>
> This manual editing will be required by every install on RPi, for
> example.

No, it won't. Most people will just give the system a valid DNS
configuration, and the clock will not be an issue.
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[Slawa Olhovchenkov]

On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote:

> I doubt that will happen as you are asking to pollute every release
> installation for an edge condition when  there is numerous work arounds
> that would be acceptable to most.   eg two lines in rc.conf will fix the
> issue.

This manual editing will be required by every install on RPi, for
example.

Also, this issuse hard to dignostics by average user.

> On 9 June 2016 at 09:04, Slawa Olhovchenkov  wrote:
> 
> > On Thu, Jun 09, 2016 at 08:39:42AM +0100, krad wrote:
> >
> > > googles will be pretty static, but i would just use them as a one off, ie
> > > with ntpdate
> >
> > i am talk about freebsd system/project.
> >
> > >
> > > On 8 June 2016 at 10:48, Slawa Olhovchenkov  wrote:
> > >
> > > > On Wed, Jun 08, 2016 at 02:29:29AM +0200, Dag-Erling Smørgrav wrote:
> > > >
> > > > > Slawa Olhovchenkov  writes:
> > > > > > IMHO, ntp.conf need to include some numeric IP of public ntp
> > servers.
> > > > >
> > > > > https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse
> > > > > https://en.wikipedia.org/wiki/Poul-Henning_Kamp#Dispute_with_D-Link
> > > >
> > > > What you suggestion?
> > > >
> > > > ___
> > > > freebsd-stable@freebsd.org mailing list
> > > > https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > > > To unsubscribe, send any mail to "
> > freebsd-stable-unsubscr...@freebsd.org"
> > > >
> >
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[krad]

I doubt that will happen as you are asking to pollute every release
installation for an edge condition when  there is numerous work arounds
that would be acceptable to most.   eg two lines in rc.conf will fix the
issue.

On 9 June 2016 at 09:04, Slawa Olhovchenkov  wrote:

> On Thu, Jun 09, 2016 at 08:39:42AM +0100, krad wrote:
>
> > googles will be pretty static, but i would just use them as a one off, ie
> > with ntpdate
>
> i am talk about freebsd system/project.
>
> >
> > On 8 June 2016 at 10:48, Slawa Olhovchenkov  wrote:
> >
> > > On Wed, Jun 08, 2016 at 02:29:29AM +0200, Dag-Erling Smørgrav wrote:
> > >
> > > > Slawa Olhovchenkov  writes:
> > > > > IMHO, ntp.conf need to include some numeric IP of public ntp
> servers.
> > > >
> > > > https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse
> > > > https://en.wikipedia.org/wiki/Poul-Henning_Kamp#Dispute_with_D-Link
> > >
> > > What you suggestion?
> > >
> > > ___
> > > freebsd-stable@freebsd.org mailing list
> > > https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > > To unsubscribe, send any mail to "
> freebsd-stable-unsubscr...@freebsd.org"
> > >
>
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[Slawa Olhovchenkov]

On Thu, Jun 09, 2016 at 08:39:42AM +0100, krad wrote:

> googles will be pretty static, but i would just use them as a one off, ie
> with ntpdate

i am talk about freebsd system/project.

> 
> On 8 June 2016 at 10:48, Slawa Olhovchenkov  wrote:
> 
> > On Wed, Jun 08, 2016 at 02:29:29AM +0200, Dag-Erling Smørgrav wrote:
> >
> > > Slawa Olhovchenkov  writes:
> > > > IMHO, ntp.conf need to include some numeric IP of public ntp servers.
> > >
> > > https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse
> > > https://en.wikipedia.org/wiki/Poul-Henning_Kamp#Dispute_with_D-Link
> >
> > What you suggestion?
> >
> > ___
> > freebsd-stable@freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
> >
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[krad]

googles will be pretty static, but i would just use them as a one off, ie
with ntpdate


On 8 June 2016 at 10:48, Slawa Olhovchenkov  wrote:

> On Wed, Jun 08, 2016 at 02:29:29AM +0200, Dag-Erling Smørgrav wrote:
>
> > Slawa Olhovchenkov  writes:
> > > IMHO, ntp.conf need to include some numeric IP of public ntp servers.
> >
> > https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse
> > https://en.wikipedia.org/wiki/Poul-Henning_Kamp#Dispute_with_D-Link
>
> What you suggestion?
>
> ___
> freebsd-stable@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
>
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[Slawa Olhovchenkov]

On Wed, Jun 08, 2016 at 02:29:29AM +0200, Dag-Erling Smørgrav wrote:

> Slawa Olhovchenkov  writes:
> > IMHO, ntp.conf need to include some numeric IP of public ntp servers.
> 
> https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse
> https://en.wikipedia.org/wiki/Poul-Henning_Kamp#Dispute_with_D-Link

What you suggestion?

___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[Dag-Erling Smørgrav]

Slawa Olhovchenkov  writes:
> IMHO, ntp.conf need to include some numeric IP of public ntp servers.

https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse
https://en.wikipedia.org/wiki/Poul-Henning_Kamp#Dispute_with_D-Link

DES
-- 
Dag-Erling Smørgrav - d...@des.no
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[Ronald Klop]

On Tue, 07 Jun 2016 12:43:35 +0200, Slawa Olhovchenkov   
wrote:



On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote:


Like i said you could configure ntpdate as well as ntpd, but give it a
known good ip. It will only run once at boot, and ntpd will start after  
so

that can use the nice pool names.

A slightly better way maybe to give ntpdate a server hostname like
ntp-server and populated the hosts file with one of the ips from
pool.ntp.org. You could then have a periodic script to check and update  
the

ip in the hosts every day, so it works over a reboot. The ip would
obviously have to have an initial seed value, but you could work this  
out

progmatically at system configuration time with tools like ansible.


What purpose don't do it by standart scripts from base systems?
Enforcing DNSSEC must be prevent this strange works on all systems
lack CMOS time.



If the system lacks CMOS time it is hard to fix this problem. It is not  
only about NTP+DNSSEC, but also about the lack of timekeeping. This  
timekeeping problem can be solved by using a local ntp-server. That would  
break the deadlock of NTP+DNSSEC.


Ronald.



I am not expert in sh scripting for this automation.


On 7 June 2016 at 09:47, Slawa Olhovchenkov  wrote:

> On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote:
>
> > Well there is a deadlock situation there so you have to relax one  
of the

> > conditions, for one time at least.
> >
> > Your best bet is to do a manual ntpdate against a fixed ip of known
> > goodness. If you have a lot of machines you need to do this on, use
> ansible
> > or similar to do the heavy lifting for you. Ansible is best in my  
opinion

> > if you dont have anything setup as its quick to get going. It does
> require
> > python on the target machines so you would need to install that  
first.
> > Something like the following should get it working (as you dont  
have dns

> on
> > the target machine, package fetches wont work, so i would tunnel a  
squid

> > proxy and let that handle all the internet stuff.
> >
> > add something like the following to your ssh_config
> >
> > Host *
> > RemoteForward 31280 squid_server:3128
> >
> > then run some stuff like this (after installing ansible on your
> > desktop/bastion host)
> >
> > ansible  -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy=
> > http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i
> >  -kS --ask-su-pass
> >
> > ansible  -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy=
> > http://127.0.0.1:31280 pkg install python' -u root -i  


> > -kS --ask-su-pass
> >
> > ansible -m shell -a "ntpdate "  -kS  
--ask-su-pass -i

> > 
> >
> > from here on you should be able to start unbound and then ntpd eg
> >
> > ansible -m service -a "name=local_unbound state=restarted"
> >  -kS --ask-su-pass -i 
> > ansible -m service -a "name=ntpd state=restarted"  -kS  
--ask-su-pass -i

> >  >
> > Alternatively you could just relax your dnssec rules on first boot  
to

> give
> > ntp a chance. Probably much easier 8)
>
> How I am do it? I am don't touch dnssec rules and don't know unbound.
> May be this is posible by startup scripts?
> Also, some platforms lack of CMOS time, RPi, for example.
>
> > Also make sure you are using the '-g' flag on ntpd
>
> Yes, I am add `ntpd_sync_on_start=yes` to rc.conf.
> I am suggest do it by checkbox in bsdinstall.
>
>
> > On 6 June 2016 at 14:50, Slawa Olhovchenkov  wrote:
> >
> > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote:
> > >
> > > > Slawa Olhovchenkov  writes:
> > > >
> > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert  
wrote:

> > > > >
> > > > >> Slawa Olhovchenkov  writes:
> > > > >>
> > > > >> > Default install with local_unbound and ntpd can't be  
functional

> with
> > > > >> > incorrect date/time in BIOS:
> > > > >> >
> > > > >> > Unbound requred correct time for DNSSEC check and refuseing
> queries
> > > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed  
to

> prime
> > > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
> > > > >> >
> > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf  
--

> only
> > > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result --  
can't

> > > > >> > resolve (see above, about DNSKEY).
> > > > >>
> > > > >> I can't see how this would happen. DNSSEC doesn't seem to be
> required
> > > in
> > > > >> a regular install as far as I can see. Certainly I don't  
have any

> > > > >
> > > > > I don't know reasson for enforcing DNSSEC in regular install.
> > > > > I am just select `local_unbound` at setup time and enter
> `127.0.0.1` as
> > > > > nameserver address.
> > > >
> > > > That's not enough to configure unbound as a fully recursive DNS
> > > > server.
> > >
> > > What I am missing?
> > > Need to fix unbound setup scripts? bsdinstall scripts?
> > > As I see unbound setup scripts detects 

Re: unbound and ntp issuse

[Slawa Olhovchenkov]

On Tue, Jun 07, 2016 at 04:56:47PM +0200, Ronald Klop wrote:

> On Tue, 07 Jun 2016 12:43:35 +0200, Slawa Olhovchenkov   
> wrote:
> 
> > On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote:
> >
> >> Like i said you could configure ntpdate as well as ntpd, but give it a
> >> known good ip. It will only run once at boot, and ntpd will start after  
> >> so
> >> that can use the nice pool names.
> >>
> >> A slightly better way maybe to give ntpdate a server hostname like
> >> ntp-server and populated the hosts file with one of the ips from
> >> pool.ntp.org. You could then have a periodic script to check and update  
> >> the
> >> ip in the hosts every day, so it works over a reboot. The ip would
> >> obviously have to have an initial seed value, but you could work this  
> >> out
> >> progmatically at system configuration time with tools like ansible.
> >
> > What purpose don't do it by standart scripts from base systems?
> > Enforcing DNSSEC must be prevent this strange works on all systems
> > lack CMOS time.
> 
> 
> If the system lacks CMOS time it is hard to fix this problem. It is not  
> only about NTP+DNSSEC, but also about the lack of timekeeping. This  
> timekeeping problem can be solved by using a local ntp-server. That would  
> break the deadlock of NTP+DNSSEC.

ntpd_sync_on_start=yes
unbound start in relaxed mode until time sinced
after ntp synced unbound switcheed to DNSSEC mode.
ntp re-resolved ntp server addrees

What wrong with this?
Some software need modification, yes.
This is price for DNSSEC enforcing.

Many systems don't have CMOS by design.

> > I am not expert in sh scripting for this automation.
> >
> >> On 7 June 2016 at 09:47, Slawa Olhovchenkov  wrote:
> >>
> >> > On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote:
> >> >
> >> > > Well there is a deadlock situation there so you have to relax one  
> >> of the
> >> > > conditions, for one time at least.
> >> > >
> >> > > Your best bet is to do a manual ntpdate against a fixed ip of known
> >> > > goodness. If you have a lot of machines you need to do this on, use
> >> > ansible
> >> > > or similar to do the heavy lifting for you. Ansible is best in my  
> >> opinion
> >> > > if you dont have anything setup as its quick to get going. It does
> >> > require
> >> > > python on the target machines so you would need to install that  
> >> first.
> >> > > Something like the following should get it working (as you dont  
> >> have dns
> >> > on
> >> > > the target machine, package fetches wont work, so i would tunnel a  
> >> squid
> >> > > proxy and let that handle all the internet stuff.
> >> > >
> >> > > add something like the following to your ssh_config
> >> > >
> >> > > Host *
> >> > > RemoteForward 31280 squid_server:3128
> >> > >
> >> > > then run some stuff like this (after installing ansible on your
> >> > > desktop/bastion host)
> >> > >
> >> > > ansible  -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy=
> >> > > http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i
> >> > >  -kS --ask-su-pass
> >> > >
> >> > > ansible  -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy=
> >> > > http://127.0.0.1:31280 pkg install python' -u root -i  
> >> 
> >> > > -kS --ask-su-pass
> >> > >
> >> > > ansible -m shell -a "ntpdate "  -kS  
> >> --ask-su-pass -i
> >> > > 
> >> > >
> >> > > from here on you should be able to start unbound and then ntpd eg
> >> > >
> >> > > ansible -m service -a "name=local_unbound state=restarted"
> >> > >  -kS --ask-su-pass -i 
> >> > > ansible -m service -a "name=ntpd state=restarted"  -kS  
> >> --ask-su-pass -i
> >> > >  >> > >
> >> > > Alternatively you could just relax your dnssec rules on first boot  
> >> to
> >> > give
> >> > > ntp a chance. Probably much easier 8)
> >> >
> >> > How I am do it? I am don't touch dnssec rules and don't know unbound.
> >> > May be this is posible by startup scripts?
> >> > Also, some platforms lack of CMOS time, RPi, for example.
> >> >
> >> > > Also make sure you are using the '-g' flag on ntpd
> >> >
> >> > Yes, I am add `ntpd_sync_on_start=yes` to rc.conf.
> >> > I am suggest do it by checkbox in bsdinstall.
> >> >
> >> >
> >> > > On 6 June 2016 at 14:50, Slawa Olhovchenkov  wrote:
> >> > >
> >> > > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote:
> >> > > >
> >> > > > > Slawa Olhovchenkov  writes:
> >> > > > >
> >> > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert  
> >> wrote:
> >> > > > > >
> >> > > > > >> Slawa Olhovchenkov  writes:
> >> > > > > >>
> >> > > > > >> > Default install with local_unbound and ntpd can't be  
> >> functional
> >> > with
> >> > > > > >> > incorrect date/time in BIOS:
> >> > > > > >> >
> >> > > > > >> > Unbound requred correct time for DNSSEC check and refuseing
> >> > queries
> >> > > > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed  
> >> to
> >> > prime
> >> > > > > >> > trust 

Re: unbound and ntp issuse

[krad]

running this at boot time may help as well

unbound-control set_option  val-permissive-mode: yes

then after ntpd has started up run this

unbound-control set_option  val-permissive-mode: no

Yes work around's, but work around's work by definition.

On 7 June 2016 at 15:00, krad  wrote:

> it's a non solvable problem though as its a deadlock. You have to remove
> one of the criteria in order to fix the issue automatically.
>
> On 7 June 2016 at 14:32, Slawa Olhovchenkov  wrote:
>
>> On Tue, Jun 07, 2016 at 07:29:32AM -0600, Ian Lepore wrote:
>>
>> > On Tue, 2016-06-07 at 12:10 +0100, krad wrote:
>> > > whops that should be
>> > >
>> > > ntpdate_hosts not servers
>> > >
>> >
>> > These suggestions are essentially insane because they're ignoring the
>> > basic fact that the freebsd installer creates a non-working system.  If
>> > unbound requires DNSSEC, and DNSSEC requires good time, and good time
>> > requires hostname resolution, then that circular dependency is a
>> > problem that the freebsd project needs to fix, not something to be
>> > hacked around by each individual sysadmin.
>>
>> Exactly! This is may point!
>>
>> > It is a bit disturbing to me that the project members who created this
>> > situation have been silent in the face of *months* of reporting of it
>> > by several different users.
>>
>
>
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[krad]

it's a non solvable problem though as its a deadlock. You have to remove
one of the criteria in order to fix the issue automatically.

On 7 June 2016 at 14:32, Slawa Olhovchenkov  wrote:

> On Tue, Jun 07, 2016 at 07:29:32AM -0600, Ian Lepore wrote:
>
> > On Tue, 2016-06-07 at 12:10 +0100, krad wrote:
> > > whops that should be
> > >
> > > ntpdate_hosts not servers
> > >
> >
> > These suggestions are essentially insane because they're ignoring the
> > basic fact that the freebsd installer creates a non-working system.  If
> > unbound requires DNSSEC, and DNSSEC requires good time, and good time
> > requires hostname resolution, then that circular dependency is a
> > problem that the freebsd project needs to fix, not something to be
> > hacked around by each individual sysadmin.
>
> Exactly! This is may point!
>
> > It is a bit disturbing to me that the project members who created this
> > situation have been silent in the face of *months* of reporting of it
> > by several different users.
>
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[Ian Lepore]

On Tue, 2016-06-07 at 12:10 +0100, krad wrote:
> whops that should be
> 
> ntpdate_hosts not servers
> 

These suggestions are essentially insane because they're ignoring the
basic fact that the freebsd installer creates a non-working system.  If
unbound requires DNSSEC, and DNSSEC requires good time, and good time
requires hostname resolution, then that circular dependency is a
problem that the freebsd project needs to fix, not something to be
hacked around by each individual sysadmin.

It is a bit disturbing to me that the project members who created this
situation have been silent in the face of *months* of reporting of it
by several different users.

-- Ian

> 
> On 7 June 2016 at 12:09, krad  wrote:
> 
> > something as simple as this thrown in /etc/periodic/daily/ would
> > probably
> > do it.
> > 
> > #!/bin/sh
> > ip=`dig pool.ntp.org +short | head -1'
> > cp /etc/hosts /etc/hosts.old &&
> >  sed -e "s/.*ntp-server/$ip ntp-server/"  /etc/hosts.old >
> > /etc/hosts
> > 
> > 
> > with these lines in rc.conf
> > ntpdate_enable=yes
> > ntpdate_servers="ntp-server"
> > 
> > 
> > 
> > 
> > 
> > On 7 June 2016 at 11:43, Slawa Olhovchenkov  wrote:
> > 
> > > On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote:
> > > 
> > > > Like i said you could configure ntpdate as well as ntpd, but
> > > > give it a
> > > > known good ip. It will only run once at boot, and ntpd will
> > > > start after
> > > so
> > > > that can use the nice pool names.
> > > > 
> > > > A slightly better way maybe to give ntpdate a server hostname
> > > > like
> > > > ntp-server and populated the hosts file with one of the ips
> > > > from
> > > > pool.ntp.org. You could then have a periodic script to check
> > > > and
> > > update the
> > > > ip in the hosts every day, so it works over a reboot. The ip
> > > > would
> > > > obviously have to have an initial seed value, but you could
> > > > work this
> > > out
> > > > progmatically at system configuration time with tools like
> > > > ansible.
> > > 
> > > What purpose don't do it by standart scripts from base systems?
> > > Enforcing DNSSEC must be prevent this strange works on all
> > > systems
> > > lack CMOS time.
> > > 
> > > I am not expert in sh scripting for this automation.
> > > 
> > > > On 7 June 2016 at 09:47, Slawa Olhovchenkov 
> > > > wrote:
> > > > 
> > > > > On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote:
> > > > > 
> > > > > > Well there is a deadlock situation there so you have to
> > > > > > relax one
> > > of the
> > > > > > conditions, for one time at least.
> > > > > > 
> > > > > > Your best bet is to do a manual ntpdate against a fixed ip
> > > > > > of known
> > > > > > goodness. If you have a lot of machines you need to do this
> > > > > > on, use
> > > > > ansible
> > > > > > or similar to do the heavy lifting for you. Ansible is best
> > > > > > in my
> > > opinion
> > > > > > if you dont have anything setup as its quick to get going.
> > > > > > It does
> > > > > require
> > > > > > python on the target machines so you would need to install
> > > > > > that
> > > first.
> > > > > > Something like the following should get it working (as you
> > > > > > dont
> > > have dns
> > > > > on
> > > > > > the target machine, package fetches wont work, so i would
> > > > > > tunnel a
> > > squid
> > > > > > proxy and let that handle all the internet stuff.
> > > > > > 
> > > > > > add something like the following to your ssh_config
> > > > > > 
> > > > > > Host *
> > > > > > RemoteForward 31280 squid_server:3128
> > > > > > 
> > > > > > then run some stuff like this (after installing ansible on
> > > > > > your
> > > > > > desktop/bastion host)
> > > > > > 
> > > > > > ansible  -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1
> > > > > > http_proxy=
> > > > > > http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root 
> > > > > > -i
> > > > > >  -kS --ask-su-pass
> > > > > > 
> > > > > > ansible  -b -m raw -a 'env ASSUME_ALWAYS_YES=YES
> > > > > > http_proxy=
> > > > > > http://127.0.0.1:31280 pkg install python' -u root -i
> > > 
> > > > > > -kS --ask-su-pass
> > > > > > 
> > > > > > ansible -m shell -a "ntpdate "  -kS
> > > --ask-su-pass -i
> > > > > > 
> > > > > > 
> > > > > > from here on you should be able to start unbound and then
> > > > > > ntpd eg
> > > > > > 
> > > > > > ansible -m service -a "name=local_unbound state=restarted"
> > > > > >  -kS --ask-su-pass -i 
> > > > > > ansible -m service -a "name=ntpd state=restarted"  -kS
> > > --ask-su-pass -i
> > > > > >  > > > > > 
> > > > > > Alternatively you could just relax your dnssec rules on
> > > > > > first boot
> > > to
> > > > > give
> > > > > > ntp a chance. Probably much easier 8)
> > > > > 
> > > > > How I am do it? I am don't touch dnssec rules and don't know
> > > > > unbound.
> > > > > May be this is posible by startup scripts?
> > > > > Also, some platforms lack of CMOS time, RPi, for example.
> > > > > 
> > > > > > Also make sure you are 

Re: unbound and ntp issuse

[Slawa Olhovchenkov]

On Tue, Jun 07, 2016 at 07:29:32AM -0600, Ian Lepore wrote:

> On Tue, 2016-06-07 at 12:10 +0100, krad wrote:
> > whops that should be
> > 
> > ntpdate_hosts not servers
> > 
> 
> These suggestions are essentially insane because they're ignoring the
> basic fact that the freebsd installer creates a non-working system.  If
> unbound requires DNSSEC, and DNSSEC requires good time, and good time
> requires hostname resolution, then that circular dependency is a
> problem that the freebsd project needs to fix, not something to be
> hacked around by each individual sysadmin.

Exactly! This is may point!

> It is a bit disturbing to me that the project members who created this
> situation have been silent in the face of *months* of reporting of it
> by several different users.
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[krad]

whops that should be

ntpdate_hosts not servers


On 7 June 2016 at 12:09, krad  wrote:

> something as simple as this thrown in /etc/periodic/daily/ would probably
> do it.
>
> #!/bin/sh
> ip=`dig pool.ntp.org +short | head -1'
> cp /etc/hosts /etc/hosts.old &&
>  sed -e "s/.*ntp-server/$ip ntp-server/"  /etc/hosts.old > /etc/hosts
>
>
> with these lines in rc.conf
> ntpdate_enable=yes
> ntpdate_servers="ntp-server"
>
>
>
>
>
> On 7 June 2016 at 11:43, Slawa Olhovchenkov  wrote:
>
>> On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote:
>>
>> > Like i said you could configure ntpdate as well as ntpd, but give it a
>> > known good ip. It will only run once at boot, and ntpd will start after
>> so
>> > that can use the nice pool names.
>> >
>> > A slightly better way maybe to give ntpdate a server hostname like
>> > ntp-server and populated the hosts file with one of the ips from
>> > pool.ntp.org. You could then have a periodic script to check and
>> update the
>> > ip in the hosts every day, so it works over a reboot. The ip would
>> > obviously have to have an initial seed value, but you could work this
>> out
>> > progmatically at system configuration time with tools like ansible.
>>
>> What purpose don't do it by standart scripts from base systems?
>> Enforcing DNSSEC must be prevent this strange works on all systems
>> lack CMOS time.
>>
>> I am not expert in sh scripting for this automation.
>>
>> > On 7 June 2016 at 09:47, Slawa Olhovchenkov  wrote:
>> >
>> > > On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote:
>> > >
>> > > > Well there is a deadlock situation there so you have to relax one
>> of the
>> > > > conditions, for one time at least.
>> > > >
>> > > > Your best bet is to do a manual ntpdate against a fixed ip of known
>> > > > goodness. If you have a lot of machines you need to do this on, use
>> > > ansible
>> > > > or similar to do the heavy lifting for you. Ansible is best in my
>> opinion
>> > > > if you dont have anything setup as its quick to get going. It does
>> > > require
>> > > > python on the target machines so you would need to install that
>> first.
>> > > > Something like the following should get it working (as you dont
>> have dns
>> > > on
>> > > > the target machine, package fetches wont work, so i would tunnel a
>> squid
>> > > > proxy and let that handle all the internet stuff.
>> > > >
>> > > > add something like the following to your ssh_config
>> > > >
>> > > > Host *
>> > > > RemoteForward 31280 squid_server:3128
>> > > >
>> > > > then run some stuff like this (after installing ansible on your
>> > > > desktop/bastion host)
>> > > >
>> > > > ansible  -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy=
>> > > > http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i
>> > > >  -kS --ask-su-pass
>> > > >
>> > > > ansible  -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy=
>> > > > http://127.0.0.1:31280 pkg install python' -u root -i
>> 
>> > > > -kS --ask-su-pass
>> > > >
>> > > > ansible -m shell -a "ntpdate "  -kS
>> --ask-su-pass -i
>> > > > 
>> > > >
>> > > > from here on you should be able to start unbound and then ntpd eg
>> > > >
>> > > > ansible -m service -a "name=local_unbound state=restarted"
>> > > >  -kS --ask-su-pass -i 
>> > > > ansible -m service -a "name=ntpd state=restarted"  -kS
>> --ask-su-pass -i
>> > > > > > > >
>> > > > Alternatively you could just relax your dnssec rules on first boot
>> to
>> > > give
>> > > > ntp a chance. Probably much easier 8)
>> > >
>> > > How I am do it? I am don't touch dnssec rules and don't know unbound.
>> > > May be this is posible by startup scripts?
>> > > Also, some platforms lack of CMOS time, RPi, for example.
>> > >
>> > > > Also make sure you are using the '-g' flag on ntpd
>> > >
>> > > Yes, I am add `ntpd_sync_on_start=yes` to rc.conf.
>> > > I am suggest do it by checkbox in bsdinstall.
>> > >
>> > >
>> > > > On 6 June 2016 at 14:50, Slawa Olhovchenkov  wrote:
>> > > >
>> > > > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote:
>> > > > >
>> > > > > > Slawa Olhovchenkov  writes:
>> > > > > >
>> > > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert
>> wrote:
>> > > > > > >
>> > > > > > >> Slawa Olhovchenkov  writes:
>> > > > > > >>
>> > > > > > >> > Default install with local_unbound and ntpd can't be
>> functional
>> > > with
>> > > > > > >> > incorrect date/time in BIOS:
>> > > > > > >> >
>> > > > > > >> > Unbound requred correct time for DNSSEC check and refuseing
>> > > queries
>> > > > > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed
>> to
>> > > prime
>> > > > > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
>> > > > > > >> >
>> > > > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf
>> --
>> > > only
>> > > > > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result --
>> can't
>> > > > > > >> > 

Re: unbound and ntp issuse

[krad]

something as simple as this thrown in /etc/periodic/daily/ would probably
do it.

#!/bin/sh
ip=`dig pool.ntp.org +short | head -1'
cp /etc/hosts /etc/hosts.old &&
 sed -e "s/.*ntp-server/$ip ntp-server/"  /etc/hosts.old > /etc/hosts


with these lines in rc.conf
ntpdate_enable=yes
ntpdate_servers="ntp-server"





On 7 June 2016 at 11:43, Slawa Olhovchenkov  wrote:

> On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote:
>
> > Like i said you could configure ntpdate as well as ntpd, but give it a
> > known good ip. It will only run once at boot, and ntpd will start after
> so
> > that can use the nice pool names.
> >
> > A slightly better way maybe to give ntpdate a server hostname like
> > ntp-server and populated the hosts file with one of the ips from
> > pool.ntp.org. You could then have a periodic script to check and update
> the
> > ip in the hosts every day, so it works over a reboot. The ip would
> > obviously have to have an initial seed value, but you could work this out
> > progmatically at system configuration time with tools like ansible.
>
> What purpose don't do it by standart scripts from base systems?
> Enforcing DNSSEC must be prevent this strange works on all systems
> lack CMOS time.
>
> I am not expert in sh scripting for this automation.
>
> > On 7 June 2016 at 09:47, Slawa Olhovchenkov  wrote:
> >
> > > On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote:
> > >
> > > > Well there is a deadlock situation there so you have to relax one of
> the
> > > > conditions, for one time at least.
> > > >
> > > > Your best bet is to do a manual ntpdate against a fixed ip of known
> > > > goodness. If you have a lot of machines you need to do this on, use
> > > ansible
> > > > or similar to do the heavy lifting for you. Ansible is best in my
> opinion
> > > > if you dont have anything setup as its quick to get going. It does
> > > require
> > > > python on the target machines so you would need to install that
> first.
> > > > Something like the following should get it working (as you dont have
> dns
> > > on
> > > > the target machine, package fetches wont work, so i would tunnel a
> squid
> > > > proxy and let that handle all the internet stuff.
> > > >
> > > > add something like the following to your ssh_config
> > > >
> > > > Host *
> > > > RemoteForward 31280 squid_server:3128
> > > >
> > > > then run some stuff like this (after installing ansible on your
> > > > desktop/bastion host)
> > > >
> > > > ansible  -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy=
> > > > http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i
> > > >  -kS --ask-su-pass
> > > >
> > > > ansible  -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy=
> > > > http://127.0.0.1:31280 pkg install python' -u root -i
> 
> > > > -kS --ask-su-pass
> > > >
> > > > ansible -m shell -a "ntpdate "  -kS
> --ask-su-pass -i
> > > > 
> > > >
> > > > from here on you should be able to start unbound and then ntpd eg
> > > >
> > > > ansible -m service -a "name=local_unbound state=restarted"
> > > >  -kS --ask-su-pass -i 
> > > > ansible -m service -a "name=ntpd state=restarted"  -kS --ask-su-pass
> -i
> > > >  > > >
> > > > Alternatively you could just relax your dnssec rules on first boot to
> > > give
> > > > ntp a chance. Probably much easier 8)
> > >
> > > How I am do it? I am don't touch dnssec rules and don't know unbound.
> > > May be this is posible by startup scripts?
> > > Also, some platforms lack of CMOS time, RPi, for example.
> > >
> > > > Also make sure you are using the '-g' flag on ntpd
> > >
> > > Yes, I am add `ntpd_sync_on_start=yes` to rc.conf.
> > > I am suggest do it by checkbox in bsdinstall.
> > >
> > >
> > > > On 6 June 2016 at 14:50, Slawa Olhovchenkov  wrote:
> > > >
> > > > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote:
> > > > >
> > > > > > Slawa Olhovchenkov  writes:
> > > > > >
> > > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote:
> > > > > > >
> > > > > > >> Slawa Olhovchenkov  writes:
> > > > > > >>
> > > > > > >> > Default install with local_unbound and ntpd can't be
> functional
> > > with
> > > > > > >> > incorrect date/time in BIOS:
> > > > > > >> >
> > > > > > >> > Unbound requred correct time for DNSSEC check and refuseing
> > > queries
> > > > > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to
> > > prime
> > > > > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
> > > > > > >> >
> > > > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf --
> > > only
> > > > > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result --
> can't
> > > > > > >> > resolve (see above, about DNSKEY).
> > > > > > >>
> > > > > > >> I can't see how this would happen. DNSSEC doesn't seem to be
> > > required
> > > > > in
> > > > > > >> a regular install as far as I can see. Certainly I don't have
> any
> > > > > > >
> > > > > > > 

Re: unbound and ntp issuse

[Slawa Olhovchenkov]

On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote:

> Like i said you could configure ntpdate as well as ntpd, but give it a
> known good ip. It will only run once at boot, and ntpd will start after so
> that can use the nice pool names.
> 
> A slightly better way maybe to give ntpdate a server hostname like
> ntp-server and populated the hosts file with one of the ips from
> pool.ntp.org. You could then have a periodic script to check and update the
> ip in the hosts every day, so it works over a reboot. The ip would
> obviously have to have an initial seed value, but you could work this out
> progmatically at system configuration time with tools like ansible.

What purpose don't do it by standart scripts from base systems?
Enforcing DNSSEC must be prevent this strange works on all systems
lack CMOS time.

I am not expert in sh scripting for this automation.

> On 7 June 2016 at 09:47, Slawa Olhovchenkov  wrote:
> 
> > On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote:
> >
> > > Well there is a deadlock situation there so you have to relax one of the
> > > conditions, for one time at least.
> > >
> > > Your best bet is to do a manual ntpdate against a fixed ip of known
> > > goodness. If you have a lot of machines you need to do this on, use
> > ansible
> > > or similar to do the heavy lifting for you. Ansible is best in my opinion
> > > if you dont have anything setup as its quick to get going. It does
> > require
> > > python on the target machines so you would need to install that first.
> > > Something like the following should get it working (as you dont have dns
> > on
> > > the target machine, package fetches wont work, so i would tunnel a squid
> > > proxy and let that handle all the internet stuff.
> > >
> > > add something like the following to your ssh_config
> > >
> > > Host *
> > > RemoteForward 31280 squid_server:3128
> > >
> > > then run some stuff like this (after installing ansible on your
> > > desktop/bastion host)
> > >
> > > ansible  -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy=
> > > http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i
> > >  -kS --ask-su-pass
> > >
> > > ansible  -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy=
> > > http://127.0.0.1:31280 pkg install python' -u root -i 
> > > -kS --ask-su-pass
> > >
> > > ansible -m shell -a "ntpdate "  -kS --ask-su-pass -i
> > > 
> > >
> > > from here on you should be able to start unbound and then ntpd eg
> > >
> > > ansible -m service -a "name=local_unbound state=restarted"
> > >  -kS --ask-su-pass -i 
> > > ansible -m service -a "name=ntpd state=restarted"  -kS --ask-su-pass -i
> > >  > >
> > > Alternatively you could just relax your dnssec rules on first boot to
> > give
> > > ntp a chance. Probably much easier 8)
> >
> > How I am do it? I am don't touch dnssec rules and don't know unbound.
> > May be this is posible by startup scripts?
> > Also, some platforms lack of CMOS time, RPi, for example.
> >
> > > Also make sure you are using the '-g' flag on ntpd
> >
> > Yes, I am add `ntpd_sync_on_start=yes` to rc.conf.
> > I am suggest do it by checkbox in bsdinstall.
> >
> >
> > > On 6 June 2016 at 14:50, Slawa Olhovchenkov  wrote:
> > >
> > > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote:
> > > >
> > > > > Slawa Olhovchenkov  writes:
> > > > >
> > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote:
> > > > > >
> > > > > >> Slawa Olhovchenkov  writes:
> > > > > >>
> > > > > >> > Default install with local_unbound and ntpd can't be functional
> > with
> > > > > >> > incorrect date/time in BIOS:
> > > > > >> >
> > > > > >> > Unbound requred correct time for DNSSEC check and refuseing
> > queries
> > > > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to
> > prime
> > > > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
> > > > > >> >
> > > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf --
> > only
> > > > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
> > > > > >> > resolve (see above, about DNSKEY).
> > > > > >>
> > > > > >> I can't see how this would happen. DNSSEC doesn't seem to be
> > required
> > > > in
> > > > > >> a regular install as far as I can see. Certainly I don't have any
> > > > > >
> > > > > > I don't know reasson for enforcing DNSSEC in regular install.
> > > > > > I am just select `local_unbound` at setup time and enter
> > `127.0.0.1` as
> > > > > > nameserver address.
> > > > >
> > > > > That's not enough to configure unbound as a fully recursive DNS
> > > > > server.
> > > >
> > > > What I am missing?
> > > > Need to fix unbound setup scripts? bsdinstall scripts?
> > > > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and
> > > > configured unbound as fully recursive DNS server.
> > > >
> > > > > If your system gets its address through DHCP, it is probably
> > > > > getting DNS server 

Re: unbound and ntp issuse

[krad]

Like i said you could configure ntpdate as well as ntpd, but give it a
known good ip. It will only run once at boot, and ntpd will start after so
that can use the nice pool names.

A slightly better way maybe to give ntpdate a server hostname like
ntp-server and populated the hosts file with one of the ips from
pool.ntp.org. You could then have a periodic script to check and update the
ip in the hosts every day, so it works over a reboot. The ip would
obviously have to have an initial seed value, but you could work this out
progmatically at system configuration time with tools like ansible.

On 7 June 2016 at 09:47, Slawa Olhovchenkov  wrote:

> On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote:
>
> > Well there is a deadlock situation there so you have to relax one of the
> > conditions, for one time at least.
> >
> > Your best bet is to do a manual ntpdate against a fixed ip of known
> > goodness. If you have a lot of machines you need to do this on, use
> ansible
> > or similar to do the heavy lifting for you. Ansible is best in my opinion
> > if you dont have anything setup as its quick to get going. It does
> require
> > python on the target machines so you would need to install that first.
> > Something like the following should get it working (as you dont have dns
> on
> > the target machine, package fetches wont work, so i would tunnel a squid
> > proxy and let that handle all the internet stuff.
> >
> > add something like the following to your ssh_config
> >
> > Host *
> > RemoteForward 31280 squid_server:3128
> >
> > then run some stuff like this (after installing ansible on your
> > desktop/bastion host)
> >
> > ansible  -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy=
> > http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i
> >  -kS --ask-su-pass
> >
> > ansible  -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy=
> > http://127.0.0.1:31280 pkg install python' -u root -i 
> > -kS --ask-su-pass
> >
> > ansible -m shell -a "ntpdate "  -kS --ask-su-pass -i
> > 
> >
> > from here on you should be able to start unbound and then ntpd eg
> >
> > ansible -m service -a "name=local_unbound state=restarted"
> >  -kS --ask-su-pass -i 
> > ansible -m service -a "name=ntpd state=restarted"  -kS --ask-su-pass -i
> >  >
> > Alternatively you could just relax your dnssec rules on first boot to
> give
> > ntp a chance. Probably much easier 8)
>
> How I am do it? I am don't touch dnssec rules and don't know unbound.
> May be this is posible by startup scripts?
> Also, some platforms lack of CMOS time, RPi, for example.
>
> > Also make sure you are using the '-g' flag on ntpd
>
> Yes, I am add `ntpd_sync_on_start=yes` to rc.conf.
> I am suggest do it by checkbox in bsdinstall.
>
>
> > On 6 June 2016 at 14:50, Slawa Olhovchenkov  wrote:
> >
> > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote:
> > >
> > > > Slawa Olhovchenkov  writes:
> > > >
> > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote:
> > > > >
> > > > >> Slawa Olhovchenkov  writes:
> > > > >>
> > > > >> > Default install with local_unbound and ntpd can't be functional
> with
> > > > >> > incorrect date/time in BIOS:
> > > > >> >
> > > > >> > Unbound requred correct time for DNSSEC check and refuseing
> queries
> > > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to
> prime
> > > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
> > > > >> >
> > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf --
> only
> > > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
> > > > >> > resolve (see above, about DNSKEY).
> > > > >>
> > > > >> I can't see how this would happen. DNSSEC doesn't seem to be
> required
> > > in
> > > > >> a regular install as far as I can see. Certainly I don't have any
> > > > >
> > > > > I don't know reasson for enforcing DNSSEC in regular install.
> > > > > I am just select `local_unbound` at setup time and enter
> `127.0.0.1` as
> > > > > nameserver address.
> > > >
> > > > That's not enough to configure unbound as a fully recursive DNS
> > > > server.
> > >
> > > What I am missing?
> > > Need to fix unbound setup scripts? bsdinstall scripts?
> > > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and
> > > configured unbound as fully recursive DNS server.
> > >
> > > > If your system gets its address through DHCP, it is probably
> > > > getting DNS server addresses as well, and would work fine *without*
> your
> > > > configuring any of the DNS state.
> > >
> > > I am have static address and don't getting DNS server address.
> > >
> > > > >> problem on any of my systems, and I've never configured an anchor
> on
> > > the
> > > > >> internal systems.
> > > > >>
> > > > >> > IMHO, ntp.conf need to include some numeric IP of public ntp
> > > servers.
> > > > >>
> > > > >> Ouch; that's a terrible idea, for several different reasons.
> 

Re: unbound and ntp issuse

[Slawa Olhovchenkov]

On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote:

> Well there is a deadlock situation there so you have to relax one of the
> conditions, for one time at least.
> 
> Your best bet is to do a manual ntpdate against a fixed ip of known
> goodness. If you have a lot of machines you need to do this on, use ansible
> or similar to do the heavy lifting for you. Ansible is best in my opinion
> if you dont have anything setup as its quick to get going. It does require
> python on the target machines so you would need to install that first.
> Something like the following should get it working (as you dont have dns on
> the target machine, package fetches wont work, so i would tunnel a squid
> proxy and let that handle all the internet stuff.
> 
> add something like the following to your ssh_config
> 
> Host *
> RemoteForward 31280 squid_server:3128
> 
> then run some stuff like this (after installing ansible on your
> desktop/bastion host)
> 
> ansible  -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy=
> http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i
>  -kS --ask-su-pass
> 
> ansible  -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy=
> http://127.0.0.1:31280 pkg install python' -u root -i 
> -kS --ask-su-pass
> 
> ansible -m shell -a "ntpdate "  -kS --ask-su-pass -i
> 
> 
> from here on you should be able to start unbound and then ntpd eg
> 
> ansible -m service -a "name=local_unbound state=restarted"
>  -kS --ask-su-pass -i 
> ansible -m service -a "name=ntpd state=restarted"  -kS --ask-su-pass -i
>  
> Alternatively you could just relax your dnssec rules on first boot to give
> ntp a chance. Probably much easier 8)

How I am do it? I am don't touch dnssec rules and don't know unbound.
May be this is posible by startup scripts?
Also, some platforms lack of CMOS time, RPi, for example.

> Also make sure you are using the '-g' flag on ntpd

Yes, I am add `ntpd_sync_on_start=yes` to rc.conf.
I am suggest do it by checkbox in bsdinstall.


> On 6 June 2016 at 14:50, Slawa Olhovchenkov  wrote:
> 
> > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote:
> >
> > > Slawa Olhovchenkov  writes:
> > >
> > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote:
> > > >
> > > >> Slawa Olhovchenkov  writes:
> > > >>
> > > >> > Default install with local_unbound and ntpd can't be functional with
> > > >> > incorrect date/time in BIOS:
> > > >> >
> > > >> > Unbound requred correct time for DNSSEC check and refuseing queries
> > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime
> > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
> > > >> >
> > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
> > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
> > > >> > resolve (see above, about DNSKEY).
> > > >>
> > > >> I can't see how this would happen. DNSSEC doesn't seem to be required
> > in
> > > >> a regular install as far as I can see. Certainly I don't have any
> > > >
> > > > I don't know reasson for enforcing DNSSEC in regular install.
> > > > I am just select `local_unbound` at setup time and enter `127.0.0.1` as
> > > > nameserver address.
> > >
> > > That's not enough to configure unbound as a fully recursive DNS
> > > server.
> >
> > What I am missing?
> > Need to fix unbound setup scripts? bsdinstall scripts?
> > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and
> > configured unbound as fully recursive DNS server.
> >
> > > If your system gets its address through DHCP, it is probably
> > > getting DNS server addresses as well, and would work fine *without* your
> > > configuring any of the DNS state.
> >
> > I am have static address and don't getting DNS server address.
> >
> > > >> problem on any of my systems, and I've never configured an anchor on
> > the
> > > >> internal systems.
> > > >>
> > > >> > IMHO, ntp.conf need to include some numeric IP of public ntp
> > servers.
> > > >>
> > > >> Ouch; that's a terrible idea, for several different reasons.
> > > >
> > > > What else?
> > >
> > > All the normal reasons that hard-coding IP addresses is a bad idea; they
> > > can change, you're encouraging a lot of people to use the same ones, etc.
> >
> > And how to resolve this issuse:
> >
> > - default install with unbound as recursive DNS server (by default
> >   enforcing DNSSEC)
> > - ntp time synchronisation
> > - stale CMOS time (2008 year)
> > ___
> > freebsd-stable@freebsd.org mailing list
> > https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
> >
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[krad]

Well there is a deadlock situation there so you have to relax one of the
conditions, for one time at least.

Your best bet is to do a manual ntpdate against a fixed ip of known
goodness. If you have a lot of machines you need to do this on, use ansible
or similar to do the heavy lifting for you. Ansible is best in my opinion
if you dont have anything setup as its quick to get going. It does require
python on the target machines so you would need to install that first.
Something like the following should get it working (as you dont have dns on
the target machine, package fetches wont work, so i would tunnel a squid
proxy and let that handle all the internet stuff.

add something like the following to your ssh_config

Host *
RemoteForward 31280 squid_server:3128

then run some stuff like this (after installing ansible on your
desktop/bastion host)

ansible  -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy=
http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i
 -kS --ask-su-pass

ansible  -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy=
http://127.0.0.1:31280 pkg install python' -u root -i 
-kS --ask-su-pass

ansible -m shell -a "ntpdate "  -kS --ask-su-pass -i


from here on you should be able to start unbound and then ntpd eg

ansible -m service -a "name=local_unbound state=restarted"
 -kS --ask-su-pass -i 
ansible -m service -a "name=ntpd state=restarted"  -kS --ask-su-pass -i
 wrote:

> On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote:
>
> > Slawa Olhovchenkov  writes:
> >
> > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote:
> > >
> > >> Slawa Olhovchenkov  writes:
> > >>
> > >> > Default install with local_unbound and ntpd can't be functional with
> > >> > incorrect date/time in BIOS:
> > >> >
> > >> > Unbound requred correct time for DNSSEC check and refuseing queries
> > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime
> > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
> > >> >
> > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
> > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
> > >> > resolve (see above, about DNSKEY).
> > >>
> > >> I can't see how this would happen. DNSSEC doesn't seem to be required
> in
> > >> a regular install as far as I can see. Certainly I don't have any
> > >
> > > I don't know reasson for enforcing DNSSEC in regular install.
> > > I am just select `local_unbound` at setup time and enter `127.0.0.1` as
> > > nameserver address.
> >
> > That's not enough to configure unbound as a fully recursive DNS
> > server.
>
> What I am missing?
> Need to fix unbound setup scripts? bsdinstall scripts?
> As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and
> configured unbound as fully recursive DNS server.
>
> > If your system gets its address through DHCP, it is probably
> > getting DNS server addresses as well, and would work fine *without* your
> > configuring any of the DNS state.
>
> I am have static address and don't getting DNS server address.
>
> > >> problem on any of my systems, and I've never configured an anchor on
> the
> > >> internal systems.
> > >>
> > >> > IMHO, ntp.conf need to include some numeric IP of public ntp
> servers.
> > >>
> > >> Ouch; that's a terrible idea, for several different reasons.
> > >
> > > What else?
> >
> > All the normal reasons that hard-coding IP addresses is a bad idea; they
> > can change, you're encouraging a lot of people to use the same ones, etc.
>
> And how to resolve this issuse:
>
> - default install with unbound as recursive DNS server (by default
>   enforcing DNSSEC)
> - ntp time synchronisation
> - stale CMOS time (2008 year)
> ___
> freebsd-stable@freebsd.org mailing list
> https://lists.freebsd.org/mailman/listinfo/freebsd-stable
> To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
>
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[Slawa Olhovchenkov]

On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote:

> Slawa Olhovchenkov  writes:
> 
> > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote:
> >
> >> Slawa Olhovchenkov  writes:
> >> 
> >> > Default install with local_unbound and ntpd can't be functional with
> >> > incorrect date/time in BIOS:
> >> >
> >> > Unbound requred correct time for DNSSEC check and refuseing queries
> >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime
> >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
> >> >
> >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
> >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
> >> > resolve (see above, about DNSKEY).
> >> 
> >> I can't see how this would happen. DNSSEC doesn't seem to be required in
> >> a regular install as far as I can see. Certainly I don't have any
> >
> > I don't know reasson for enforcing DNSSEC in regular install.
> > I am just select `local_unbound` at setup time and enter `127.0.0.1` as
> > nameserver address.
> 
> That's not enough to configure unbound as a fully recursive DNS
> server.

What I am missing?
Need to fix unbound setup scripts? bsdinstall scripts?
As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and
configured unbound as fully recursive DNS server.

> If your system gets its address through DHCP, it is probably
> getting DNS server addresses as well, and would work fine *without* your
> configuring any of the DNS state.

I am have static address and don't getting DNS server address.

> >> problem on any of my systems, and I've never configured an anchor on the
> >> internal systems.
> >> 
> >> > IMHO, ntp.conf need to include some numeric IP of public ntp servers.
> >> 
> >> Ouch; that's a terrible idea, for several different reasons.
> >
> > What else?
> 
> All the normal reasons that hard-coding IP addresses is a bad idea; they
> can change, you're encouraging a lot of people to use the same ones, etc.

And how to resolve this issuse:

- default install with unbound as recursive DNS server (by default
  enforcing DNSSEC)
- ntp time synchronisation
- stale CMOS time (2008 year)
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[Lowell Gilbert]

Slawa Olhovchenkov  writes:

> On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote:
>
>> Slawa Olhovchenkov  writes:
>> 
>> > Default install with local_unbound and ntpd can't be functional with
>> > incorrect date/time in BIOS:
>> >
>> > Unbound requred correct time for DNSSEC check and refuseing queries
>> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime
>> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
>> >
>> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
>> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
>> > resolve (see above, about DNSKEY).
>> 
>> I can't see how this would happen. DNSSEC doesn't seem to be required in
>> a regular install as far as I can see. Certainly I don't have any
>
> I don't know reasson for enforcing DNSSEC in regular install.
> I am just select `local_unbound` at setup time and enter `127.0.0.1` as
> nameserver address.

That's not enough to configure unbound as a fully recursive DNS
server. If your system gets its address through DHCP, it is probably
getting DNS server addresses as well, and would work fine *without* your
configuring any of the DNS state.

>> problem on any of my systems, and I've never configured an anchor on the
>> internal systems.
>> 
>> > IMHO, ntp.conf need to include some numeric IP of public ntp servers.
>> 
>> Ouch; that's a terrible idea, for several different reasons.
>
> What else?

All the normal reasons that hard-coding IP addresses is a bad idea; they
can change, you're encouraging a lot of people to use the same ones, etc.
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[Slawa Olhovchenkov]

On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote:

> Slawa Olhovchenkov  writes:
> 
> > Default install with local_unbound and ntpd can't be functional with
> > incorrect date/time in BIOS:
> >
> > Unbound requred correct time for DNSSEC check and refuseing queries
> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime
> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
> >
> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
> > resolve (see above, about DNSKEY).
> 
> I can't see how this would happen. DNSSEC doesn't seem to be required in
> a regular install as far as I can see. Certainly I don't have any

I don't know reasson for enforcing DNSSEC in regular install.
I am just select `local_unbound` at setup time and enter `127.0.0.1` as
nameserver address.

> problem on any of my systems, and I've never configured an anchor on the
> internal systems.
> 
> > IMHO, ntp.conf need to include some numeric IP of public ntp servers.
> 
> Ouch; that's a terrible idea, for several different reasons.

What else?
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

Re: unbound and ntp issuse

[Lowell Gilbert]

Slawa Olhovchenkov  writes:

> Default install with local_unbound and ntpd can't be functional with
> incorrect date/time in BIOS:
>
> Unbound requred correct time for DNSSEC check and refuseing queries
> ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime
> trust anchor -- DNSKEY rrset is not secure . DNSKEY IN")
>
> ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
> symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
> resolve (see above, about DNSKEY).

I can't see how this would happen. DNSSEC doesn't seem to be required in
a regular install as far as I can see. Certainly I don't have any
problem on any of my systems, and I've never configured an anchor on the
internal systems.

> IMHO, ntp.conf need to include some numeric IP of public ntp servers.

Ouch; that's a terrible idea, for several different reasons.
___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"

unbound and ntp issuse

[Slawa Olhovchenkov]

Default install with local_unbound and ntpd can't be functional with
incorrect date/time in BIOS:

Unbound requred correct time for DNSSEC check and refuseing queries
("Jul  1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime trust 
anchor -- DNSKEY rrset is not secure . DNSKEY IN")

ntpd don't have any numeric IP of ntp servers in ntp.conf -- only
symbolic names like 0.freebsd.pool.ntp.org, as result -- can't
resolve (see above, about DNSKEY).

IMHO, ntp.conf need to include some numeric IP of public ntp servers.

# date
Tue Jul  1 20:36:31 MSD 2008


___
freebsd-stable@freebsd.org mailing list
https://lists.freebsd.org/mailman/listinfo/freebsd-stable
To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"