Re: unbound and ntp issuse
On Tue, Jun 14, 2016 at 07:55:34AM -0700, Chris H wrote: > I'm playing catchup on my INBOX, so apologies in advance, if this has > already been satisfactorily answered... > On Mon, 6 Jun 2016 16:50:18 +0300 Slawa Olhovchenkov wrote > ... > > What I am missing? > > Need to fix unbound setup scripts? bsdinstall scripts? > > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and > > configured unbound as fully recursive DNS server. > May I suggest ntpdate(8)? > Find a reliable time server in your region, and once found add it > *early* in your rc.conf(5). Well, ahead of your unbound stanza. ie; > > hostname="..." > ifconfig_re0="inet ... netmask ..." > defaultrouter="..." > Errr... The sequence of assignments in /etc/rc.conf* has no bearing on the sequence in which /etc/rc starts things. Please refer to rcorder(8) for further information on this. Peace, david -- David H. Wolfskill da...@catwhisker.org Those who would murder in the name of God or prophet are blasphemous cowards. See http://www.catwhisker.org/~david/publickey.gpg for my public key. signature.asc Description: PGP signature
Re: unbound and ntp issuse
I'm playing catchup on my INBOX, so apologies in advance, if this has already been satisfactorily answered... On Mon, 6 Jun 2016 16:50:18 +0300 Slawa Olhovchenkov wrote > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote: > > > Slawa Olhovchenkov writes: > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote: > > > > > >> Slawa Olhovchenkov writes: > > >> > > >> > Default install with local_unbound and ntpd can't be functional with > > >> > incorrect date/time in BIOS: > > >> > > > >> > Unbound requred correct time for DNSSEC check and refuseing queries > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > > >> > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't > > >> > resolve (see above, about DNSKEY). > > >> > > >> I can't see how this would happen. DNSSEC doesn't seem to be required in > > >> a regular install as far as I can see. Certainly I don't have any > > > > > > I don't know reasson for enforcing DNSSEC in regular install. > > > I am just select 'local_unbound' at setup time and enter '127.0.0.1' as > > > nameserver address. > > > > That's not enough to configure unbound as a fully recursive DNS > > server. > > What I am missing? > Need to fix unbound setup scripts? bsdinstall scripts? > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and > configured unbound as fully recursive DNS server. May I suggest ntpdate(8)? Find a reliable time server in your region, and once found add it *early* in your rc.conf(5). Well, ahead of your unbound stanza. ie; hostname="..." ifconfig_re0="inet ... netmask ..." defaultrouter="..." ntpdate_enable="YES" ntpdate_hosts="a reliable regional time server" .. unbound_enable="YES" .. ALSO. Since you're upstream will, in all likelihood have informed you of a preferred set of 2 name servers. Place one of them in your hosts(5) file. This will help ensure that ntpdate(8) can reliably discover your regional time server. That should get you where you want to go. :-) --Chris > > > If your system gets its address through DHCP, it is probably > > getting DNS server addresses as well, and would work fine *without* your > > configuring any of the DNS state. > > I am have static address and don't getting DNS server address. > > > >> problem on any of my systems, and I've never configured an anchor on the > > >> internal systems. > > >> > > >> > IMHO, ntp.conf need to include some numeric IP of public ntp servers. > > >> > > >> Ouch; that's a terrible idea, for several different reasons. > > > > > > What else? > > > > All the normal reasons that hard-coding IP addresses is a bad idea; they > > can change, you're encouraging a lot of people to use the same ones, etc. > > And how to resolve this issuse: > > - default install with unbound as recursive DNS server (by default > enforcing DNSSEC) > - ntp time synchronisation > - stale CMOS time (2008 year) ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
On Tue, Jun 14, 2016 at 07:55:34AM -0700, Chris H wrote: > I'm playing catchup on my INBOX, so apologies in advance, if this has > already been satisfactorily answered... Main question not about how I am can resolve my current issuse. Main question about deadloop after setup. > On Mon, 6 Jun 2016 16:50:18 +0300 Slawa Olhovchenkov wrote > > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote: > > > > > Slawa Olhovchenkov writes: > > > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote: > > > > > > > >> Slawa Olhovchenkov writes: > > > >> > > > >> > Default install with local_unbound and ntpd can't be functional with > > > >> > incorrect date/time in BIOS: > > > >> > > > > >> > Unbound requred correct time for DNSSEC check and refuseing queries > > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime > > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > > > >> > > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only > > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't > > > >> > resolve (see above, about DNSKEY). > > > >> > > > >> I can't see how this would happen. DNSSEC doesn't seem to be required > > > >> in > > > >> a regular install as far as I can see. Certainly I don't have any > > > > > > > > I don't know reasson for enforcing DNSSEC in regular install. > > > > I am just select 'local_unbound' at setup time and enter '127.0.0.1' as > > > > nameserver address. > > > > > > That's not enough to configure unbound as a fully recursive DNS > > > server. > > > > What I am missing? > > Need to fix unbound setup scripts? bsdinstall scripts? > > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and > > configured unbound as fully recursive DNS server. > May I suggest ntpdate(8)? > Find a reliable time server in your region, and once found add it > *early* in your rc.conf(5). Well, ahead of your unbound stanza. ie; > hostname="..." > ifconfig_re0="inet ... netmask ..." > defaultrouter="..." > ntpdate_enable="YES" > ntpdate_hosts="a reliable regional time server" Already pointed about draw back using IP address of NTP servers. > > unbound_enable="YES" > .. > > ALSO. Since you're upstream will, in all likelihood have informed > you of a preferred set of 2 name servers. Place one of them in your > hosts(5) file. This will help ensure that ntpdate(8) can reliably ok. i.e. cut-off unbound from FreeBSD tree. We don't need unbound and will always use name servers from upstream, yes? > discover your regional time server. > > That should get you where you want to go. :-) I am want working setup after FreeBSD installer. I think best solution is disable enforciment in case of STA_UNSYNC. % ntptime ntp_gettime() returns code 0 (OK) time db0a9e2b.4bd3a1d4 Tue, Jun 14 2016 18:15:55.296, (.296198421), maximum error 569983 us, estimated error 2912 us, TAI offset 0 ntp_adjtime() returns code 0 (OK) modes 0x0 (), offset 3993.151 us, frequency 0.240 ppm, interval 1 s, maximum error 569983 us, estimated error 2912 us, status 0x2001 (PLL,NANO), ^^ -- OK, may be enforciment. time constant 10, precision 0.001 us, tolerance 496 ppm, Not only for unbound, for SSL too. And may be in the other places. > --Chris > > > > > If your system gets its address through DHCP, it is probably > > > getting DNS server addresses as well, and would work fine *without* your > > > configuring any of the DNS state. > > > > I am have static address and don't getting DNS server address. > > > > > >> problem on any of my systems, and I've never configured an anchor on > > > >> the > > > >> internal systems. > > > >> > > > >> > IMHO, ntp.conf need to include some numeric IP of public ntp servers. > > > >> > > > >> Ouch; that's a terrible idea, for several different reasons. > > > > > > > > What else? > > > > > > All the normal reasons that hard-coding IP addresses is a bad idea; they > > > can change, you're encouraging a lot of people to use the same ones, etc. > > > > And how to resolve this issuse: > > > > - default install with unbound as recursive DNS server (by default > > enforcing DNSSEC) > > - ntp time synchronisation > > - stale CMOS time (2008 year) > > ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
On Fri, Jun 10, 2016 at 03:10:10PM -0400, Lowell Gilbert wrote: > Slawa Olhovchenkov writes: > > > On Thu, Jun 09, 2016 at 02:31:17PM -0400, Lowell Gilbert wrote: > > > >> Slawa Olhovchenkov writes: > >> > >> > On Thu, Jun 09, 2016 at 09:48:25AM -0400, Lowell Gilbert wrote: > >> > > >> >> Slawa Olhovchenkov writes: > >> >> > >> >> > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote: > >> >> > > >> >> >> I doubt that will happen as you are asking to pollute every release > >> >> >> installation for an edge condition when there is numerous work > >> >> >> arounds > >> >> >> that would be acceptable to most. eg two lines in rc.conf will fix > >> >> >> the > >> >> >> issue. > >> >> > > >> >> > This manual editing will be required by every install on RPi, for > >> >> > example. > >> >> > >> >> No, it won't. Most people will just give the system a valid DNS > >> >> configuration, and the clock will not be an issue. > >> > > >> > What invalid in my DNS configuration? > >> > >> You said that you configured 127.0.0.1 as your DNS server. You didn't > >> say how (or rather where) you did that, but if you had used the address > >> of a working upstream recursive server, I suspect there wouldn't have > >> been any problem. > > > > Configuring 127.0.0.1 as DNS server and enabling loacal_unbound cause > > unbound acts as recursive resolver. This is conventional setup. > > ("No forwarders found in resolv.conf, unbound will recurse." > > -- from /usr/sbin/local-unbound-setup) > > I'll check on it if I get a chance. > > > Using upstream recursive server with local unbound will cause same > > problem, IMHO, because unbound will be enfocing DNSSEC by the same > > way and rejecting all answers from upstream. > > Well, we know that is not the case, because in that case nearly everyone > would be having the problem. Only in case of very incorrect time at startup (2008 year in may case, after CMOS reset) ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
On Fri, Jun 10, 2016 at 3:10 PM, Lowell Gilbert < freebsd-stable-lo...@be-well.ilk.org> wrote: > Well, we know that is not the case, because in that case nearly everyone > would be having the problem. > That would be the point... maybe not "nearly everyone" although it is hard to be certain, but I ran headlong into this when I tried to install --- and thought I'd done something wrong until this thread, where I learned that it doesn't work -out of the box-. -- brandon s allbery kf8nh sine nomine associates allber...@gmail.com ballb...@sinenomine.net unix, openafs, kerberos, infrastructure, xmonadhttp://sinenomine.net ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
Slawa Olhovchenkov writes: > On Thu, Jun 09, 2016 at 02:31:17PM -0400, Lowell Gilbert wrote: > >> Slawa Olhovchenkov writes: >> >> > On Thu, Jun 09, 2016 at 09:48:25AM -0400, Lowell Gilbert wrote: >> > >> >> Slawa Olhovchenkov writes: >> >> >> >> > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote: >> >> > >> >> >> I doubt that will happen as you are asking to pollute every release >> >> >> installation for an edge condition when there is numerous work arounds >> >> >> that would be acceptable to most. eg two lines in rc.conf will fix >> >> >> the >> >> >> issue. >> >> > >> >> > This manual editing will be required by every install on RPi, for >> >> > example. >> >> >> >> No, it won't. Most people will just give the system a valid DNS >> >> configuration, and the clock will not be an issue. >> > >> > What invalid in my DNS configuration? >> >> You said that you configured 127.0.0.1 as your DNS server. You didn't >> say how (or rather where) you did that, but if you had used the address >> of a working upstream recursive server, I suspect there wouldn't have >> been any problem. > > Configuring 127.0.0.1 as DNS server and enabling loacal_unbound cause > unbound acts as recursive resolver. This is conventional setup. > ("No forwarders found in resolv.conf, unbound will recurse." > -- from /usr/sbin/local-unbound-setup) I'll check on it if I get a chance. > Using upstream recursive server with local unbound will cause same > problem, IMHO, because unbound will be enfocing DNSSEC by the same > way and rejecting all answers from upstream. Well, we know that is not the case, because in that case nearly everyone would be having the problem. ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
On Fri, Jun 10, 2016 at 12:53:04PM +0100, krad wrote: > Pretty much every box requires some form of configuration so its a moot > point. IF you want automated deployment you will almost certainly be > building a pxe or prepreared usb/cd image of some sort. In which case you > include these settings in the deployed rc.conf. This sound like "installer and default config not need, use ansible for all" > On 9 June 2016 at 14:37, Slawa Olhovchenkov wrote: > > > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote: > > > > > I doubt that will happen as you are asking to pollute every release > > > installation for an edge condition when there is numerous work arounds > > > that would be acceptable to most. eg two lines in rc.conf will fix the > > > issue. > > > > This manual editing will be required by every install on RPi, for > > example. > > > > Also, this issuse hard to dignostics by average user. > > > > > On 9 June 2016 at 09:04, Slawa Olhovchenkov wrote: > > > > > > > On Thu, Jun 09, 2016 at 08:39:42AM +0100, krad wrote: > > > > > > > > > googles will be pretty static, but i would just use them as a one > > off, ie > > > > > with ntpdate > > > > > > > > i am talk about freebsd system/project. > > > > > > > > > > > > > > On 8 June 2016 at 10:48, Slawa Olhovchenkov wrote: > > > > > > > > > > > On Wed, Jun 08, 2016 at 02:29:29AM +0200, Dag-Erling Smørgrav > > wrote: > > > > > > > > > > > > > Slawa Olhovchenkov writes: > > > > > > > > IMHO, ntp.conf need to include some numeric IP of public ntp > > > > servers. > > > > > > > > > > > > > > https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse > > > > > > > > > https://en.wikipedia.org/wiki/Poul-Henning_Kamp#Dispute_with_D-Link > > > > > > > > > > > > What you suggestion? > > > > > > > > > > > > ___ > > > > > > freebsd-stable@freebsd.org mailing list > > > > > > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > > > > > > To unsubscribe, send any mail to " > > > > freebsd-stable-unsubscr...@freebsd.org" > > > > > > > > > > > > ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
Pretty much every box requires some form of configuration so its a moot point. IF you want automated deployment you will almost certainly be building a pxe or prepreared usb/cd image of some sort. In which case you include these settings in the deployed rc.conf. On 9 June 2016 at 14:37, Slawa Olhovchenkov wrote: > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote: > > > I doubt that will happen as you are asking to pollute every release > > installation for an edge condition when there is numerous work arounds > > that would be acceptable to most. eg two lines in rc.conf will fix the > > issue. > > This manual editing will be required by every install on RPi, for > example. > > Also, this issuse hard to dignostics by average user. > > > On 9 June 2016 at 09:04, Slawa Olhovchenkov wrote: > > > > > On Thu, Jun 09, 2016 at 08:39:42AM +0100, krad wrote: > > > > > > > googles will be pretty static, but i would just use them as a one > off, ie > > > > with ntpdate > > > > > > i am talk about freebsd system/project. > > > > > > > > > > > On 8 June 2016 at 10:48, Slawa Olhovchenkov wrote: > > > > > > > > > On Wed, Jun 08, 2016 at 02:29:29AM +0200, Dag-Erling Smørgrav > wrote: > > > > > > > > > > > Slawa Olhovchenkov writes: > > > > > > > IMHO, ntp.conf need to include some numeric IP of public ntp > > > servers. > > > > > > > > > > > > https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse > > > > > > > https://en.wikipedia.org/wiki/Poul-Henning_Kamp#Dispute_with_D-Link > > > > > > > > > > What you suggestion? > > > > > > > > > > ___ > > > > > freebsd-stable@freebsd.org mailing list > > > > > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > > > > > To unsubscribe, send any mail to " > > > freebsd-stable-unsubscr...@freebsd.org" > > > > > > > > > ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
On Thu, Jun 09, 2016 at 02:31:17PM -0400, Lowell Gilbert wrote: > Slawa Olhovchenkov writes: > > > On Thu, Jun 09, 2016 at 09:48:25AM -0400, Lowell Gilbert wrote: > > > >> Slawa Olhovchenkov writes: > >> > >> > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote: > >> > > >> >> I doubt that will happen as you are asking to pollute every release > >> >> installation for an edge condition when there is numerous work arounds > >> >> that would be acceptable to most. eg two lines in rc.conf will fix the > >> >> issue. > >> > > >> > This manual editing will be required by every install on RPi, for > >> > example. > >> > >> No, it won't. Most people will just give the system a valid DNS > >> configuration, and the clock will not be an issue. > > > > What invalid in my DNS configuration? > > You said that you configured 127.0.0.1 as your DNS server. You didn't > say how (or rather where) you did that, but if you had used the address > of a working upstream recursive server, I suspect there wouldn't have > been any problem. Configuring 127.0.0.1 as DNS server and enabling loacal_unbound cause unbound acts as recursive resolver. This is conventional setup. ("No forwarders found in resolv.conf, unbound will recurse." -- from /usr/sbin/local-unbound-setup) Using upstream recursive server with local unbound will cause same problem, IMHO, because unbound will be enfocing DNSSEC by the same way and rejecting all answers from upstream. ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
Slawa Olhovchenkov writes: > On Thu, Jun 09, 2016 at 09:48:25AM -0400, Lowell Gilbert wrote: > >> Slawa Olhovchenkov writes: >> >> > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote: >> > >> >> I doubt that will happen as you are asking to pollute every release >> >> installation for an edge condition when there is numerous work arounds >> >> that would be acceptable to most. eg two lines in rc.conf will fix the >> >> issue. >> > >> > This manual editing will be required by every install on RPi, for >> > example. >> >> No, it won't. Most people will just give the system a valid DNS >> configuration, and the clock will not be an issue. > > What invalid in my DNS configuration? You said that you configured 127.0.0.1 as your DNS server. You didn't say how (or rather where) you did that, but if you had used the address of a working upstream recursive server, I suspect there wouldn't have been any problem. ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
On Thu, Jun 09, 2016 at 09:48:25AM -0400, Lowell Gilbert wrote: > Slawa Olhovchenkov writes: > > > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote: > > > >> I doubt that will happen as you are asking to pollute every release > >> installation for an edge condition when there is numerous work arounds > >> that would be acceptable to most. eg two lines in rc.conf will fix the > >> issue. > > > > This manual editing will be required by every install on RPi, for > > example. > > No, it won't. Most people will just give the system a valid DNS > configuration, and the clock will not be an issue. What invalid in my DNS configuration? ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
Slawa Olhovchenkov writes: > On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote: > >> I doubt that will happen as you are asking to pollute every release >> installation for an edge condition when there is numerous work arounds >> that would be acceptable to most. eg two lines in rc.conf will fix the >> issue. > > This manual editing will be required by every install on RPi, for > example. No, it won't. Most people will just give the system a valid DNS configuration, and the clock will not be an issue. ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
On Thu, Jun 09, 2016 at 02:29:09PM +0100, krad wrote: > I doubt that will happen as you are asking to pollute every release > installation for an edge condition when there is numerous work arounds > that would be acceptable to most. eg two lines in rc.conf will fix the > issue. This manual editing will be required by every install on RPi, for example. Also, this issuse hard to dignostics by average user. > On 9 June 2016 at 09:04, Slawa Olhovchenkov wrote: > > > On Thu, Jun 09, 2016 at 08:39:42AM +0100, krad wrote: > > > > > googles will be pretty static, but i would just use them as a one off, ie > > > with ntpdate > > > > i am talk about freebsd system/project. > > > > > > > > On 8 June 2016 at 10:48, Slawa Olhovchenkov wrote: > > > > > > > On Wed, Jun 08, 2016 at 02:29:29AM +0200, Dag-Erling Smørgrav wrote: > > > > > > > > > Slawa Olhovchenkov writes: > > > > > > IMHO, ntp.conf need to include some numeric IP of public ntp > > servers. > > > > > > > > > > https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse > > > > > https://en.wikipedia.org/wiki/Poul-Henning_Kamp#Dispute_with_D-Link > > > > > > > > What you suggestion? > > > > > > > > ___ > > > > freebsd-stable@freebsd.org mailing list > > > > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > > > > To unsubscribe, send any mail to " > > freebsd-stable-unsubscr...@freebsd.org" > > > > > > ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
I doubt that will happen as you are asking to pollute every release installation for an edge condition when there is numerous work arounds that would be acceptable to most. eg two lines in rc.conf will fix the issue. On 9 June 2016 at 09:04, Slawa Olhovchenkov wrote: > On Thu, Jun 09, 2016 at 08:39:42AM +0100, krad wrote: > > > googles will be pretty static, but i would just use them as a one off, ie > > with ntpdate > > i am talk about freebsd system/project. > > > > > On 8 June 2016 at 10:48, Slawa Olhovchenkov wrote: > > > > > On Wed, Jun 08, 2016 at 02:29:29AM +0200, Dag-Erling Smørgrav wrote: > > > > > > > Slawa Olhovchenkov writes: > > > > > IMHO, ntp.conf need to include some numeric IP of public ntp > servers. > > > > > > > > https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse > > > > https://en.wikipedia.org/wiki/Poul-Henning_Kamp#Dispute_with_D-Link > > > > > > What you suggestion? > > > > > > ___ > > > freebsd-stable@freebsd.org mailing list > > > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > > > To unsubscribe, send any mail to " > freebsd-stable-unsubscr...@freebsd.org" > > > > ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
On Thu, Jun 09, 2016 at 08:39:42AM +0100, krad wrote: > googles will be pretty static, but i would just use them as a one off, ie > with ntpdate i am talk about freebsd system/project. > > On 8 June 2016 at 10:48, Slawa Olhovchenkov wrote: > > > On Wed, Jun 08, 2016 at 02:29:29AM +0200, Dag-Erling Smørgrav wrote: > > > > > Slawa Olhovchenkov writes: > > > > IMHO, ntp.conf need to include some numeric IP of public ntp servers. > > > > > > https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse > > > https://en.wikipedia.org/wiki/Poul-Henning_Kamp#Dispute_with_D-Link > > > > What you suggestion? > > > > ___ > > freebsd-stable@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" > > ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
googles will be pretty static, but i would just use them as a one off, ie with ntpdate On 8 June 2016 at 10:48, Slawa Olhovchenkov wrote: > On Wed, Jun 08, 2016 at 02:29:29AM +0200, Dag-Erling Smørgrav wrote: > > > Slawa Olhovchenkov writes: > > > IMHO, ntp.conf need to include some numeric IP of public ntp servers. > > > > https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse > > https://en.wikipedia.org/wiki/Poul-Henning_Kamp#Dispute_with_D-Link > > What you suggestion? > > ___ > freebsd-stable@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" > ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
On Wed, Jun 08, 2016 at 02:29:29AM +0200, Dag-Erling Smørgrav wrote: > Slawa Olhovchenkov writes: > > IMHO, ntp.conf need to include some numeric IP of public ntp servers. > > https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse > https://en.wikipedia.org/wiki/Poul-Henning_Kamp#Dispute_with_D-Link What you suggestion? ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
Slawa Olhovchenkov writes: > IMHO, ntp.conf need to include some numeric IP of public ntp servers. https://en.wikipedia.org/wiki/NTP_server_misuse_and_abuse https://en.wikipedia.org/wiki/Poul-Henning_Kamp#Dispute_with_D-Link DES -- Dag-Erling Smørgrav - d...@des.no ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
On Tue, 07 Jun 2016 12:43:35 +0200, Slawa Olhovchenkov wrote: On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote: Like i said you could configure ntpdate as well as ntpd, but give it a known good ip. It will only run once at boot, and ntpd will start after so that can use the nice pool names. A slightly better way maybe to give ntpdate a server hostname like ntp-server and populated the hosts file with one of the ips from pool.ntp.org. You could then have a periodic script to check and update the ip in the hosts every day, so it works over a reboot. The ip would obviously have to have an initial seed value, but you could work this out progmatically at system configuration time with tools like ansible. What purpose don't do it by standart scripts from base systems? Enforcing DNSSEC must be prevent this strange works on all systems lack CMOS time. If the system lacks CMOS time it is hard to fix this problem. It is not only about NTP+DNSSEC, but also about the lack of timekeeping. This timekeeping problem can be solved by using a local ntp-server. That would break the deadlock of NTP+DNSSEC. Ronald. I am not expert in sh scripting for this automation. On 7 June 2016 at 09:47, Slawa Olhovchenkov wrote: > On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote: > > > Well there is a deadlock situation there so you have to relax one of the > > conditions, for one time at least. > > > > Your best bet is to do a manual ntpdate against a fixed ip of known > > goodness. If you have a lot of machines you need to do this on, use > ansible > > or similar to do the heavy lifting for you. Ansible is best in my opinion > > if you dont have anything setup as its quick to get going. It does > require > > python on the target machines so you would need to install that first. > > Something like the following should get it working (as you dont have dns > on > > the target machine, package fetches wont work, so i would tunnel a squid > > proxy and let that handle all the internet stuff. > > > > add something like the following to your ssh_config > > > > Host * > > RemoteForward 31280 squid_server:3128 > > > > then run some stuff like this (after installing ansible on your > > desktop/bastion host) > > > > ansible -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy= > > http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i > > -kS --ask-su-pass > > > > ansible -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy= > > http://127.0.0.1:31280 pkg install python' -u root -i > > -kS --ask-su-pass > > > > ansible -m shell -a "ntpdate " -kS --ask-su-pass -i > > > > > > from here on you should be able to start unbound and then ntpd eg > > > > ansible -m service -a "name=local_unbound state=restarted" > > -kS --ask-su-pass -i > > ansible -m service -a "name=ntpd state=restarted" -kS --ask-su-pass -i > > > > > Alternatively you could just relax your dnssec rules on first boot to > give > > ntp a chance. Probably much easier 8) > > How I am do it? I am don't touch dnssec rules and don't know unbound. > May be this is posible by startup scripts? > Also, some platforms lack of CMOS time, RPi, for example. > > > Also make sure you are using the '-g' flag on ntpd > > Yes, I am add `ntpd_sync_on_start=yes` to rc.conf. > I am suggest do it by checkbox in bsdinstall. > > > > On 6 June 2016 at 14:50, Slawa Olhovchenkov wrote: > > > > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote: > > > > > > > Slawa Olhovchenkov writes: > > > > > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote: > > > > > > > > > >> Slawa Olhovchenkov writes: > > > > >> > > > > >> > Default install with local_unbound and ntpd can't be functional > with > > > > >> > incorrect date/time in BIOS: > > > > >> > > > > > >> > Unbound requred correct time for DNSSEC check and refuseing > queries > > > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to > prime > > > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > > > > >> > > > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- > only > > > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't > > > > >> > resolve (see above, about DNSKEY). > > > > >> > > > > >> I can't see how this would happen. DNSSEC doesn't seem to be > required > > > in > > > > >> a regular install as far as I can see. Certainly I don't have any > > > > > > > > > > I don't know reasson for enforcing DNSSEC in regular install. > > > > > I am just select `local_unbound` at setup time and enter > `127.0.0.1` as > > > > > nameserver address. > > > > > > > > That's not enough to configure unbound as a fully recursive DNS > > > > server. > > > > > > What I am missing? > > > Need to fix unbound setup scripts? bsdinstall scripts? > > > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and > > > configured unbound as fully recursive DNS server. >
Re: unbound and ntp issuse
On Tue, Jun 07, 2016 at 04:56:47PM +0200, Ronald Klop wrote: > On Tue, 07 Jun 2016 12:43:35 +0200, Slawa Olhovchenkov > wrote: > > > On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote: > > > >> Like i said you could configure ntpdate as well as ntpd, but give it a > >> known good ip. It will only run once at boot, and ntpd will start after > >> so > >> that can use the nice pool names. > >> > >> A slightly better way maybe to give ntpdate a server hostname like > >> ntp-server and populated the hosts file with one of the ips from > >> pool.ntp.org. You could then have a periodic script to check and update > >> the > >> ip in the hosts every day, so it works over a reboot. The ip would > >> obviously have to have an initial seed value, but you could work this > >> out > >> progmatically at system configuration time with tools like ansible. > > > > What purpose don't do it by standart scripts from base systems? > > Enforcing DNSSEC must be prevent this strange works on all systems > > lack CMOS time. > > > If the system lacks CMOS time it is hard to fix this problem. It is not > only about NTP+DNSSEC, but also about the lack of timekeeping. This > timekeeping problem can be solved by using a local ntp-server. That would > break the deadlock of NTP+DNSSEC. ntpd_sync_on_start=yes unbound start in relaxed mode until time sinced after ntp synced unbound switcheed to DNSSEC mode. ntp re-resolved ntp server addrees What wrong with this? Some software need modification, yes. This is price for DNSSEC enforcing. Many systems don't have CMOS by design. > > I am not expert in sh scripting for this automation. > > > >> On 7 June 2016 at 09:47, Slawa Olhovchenkov wrote: > >> > >> > On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote: > >> > > >> > > Well there is a deadlock situation there so you have to relax one > >> of the > >> > > conditions, for one time at least. > >> > > > >> > > Your best bet is to do a manual ntpdate against a fixed ip of known > >> > > goodness. If you have a lot of machines you need to do this on, use > >> > ansible > >> > > or similar to do the heavy lifting for you. Ansible is best in my > >> opinion > >> > > if you dont have anything setup as its quick to get going. It does > >> > require > >> > > python on the target machines so you would need to install that > >> first. > >> > > Something like the following should get it working (as you dont > >> have dns > >> > on > >> > > the target machine, package fetches wont work, so i would tunnel a > >> squid > >> > > proxy and let that handle all the internet stuff. > >> > > > >> > > add something like the following to your ssh_config > >> > > > >> > > Host * > >> > > RemoteForward 31280 squid_server:3128 > >> > > > >> > > then run some stuff like this (after installing ansible on your > >> > > desktop/bastion host) > >> > > > >> > > ansible -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy= > >> > > http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i > >> > > -kS --ask-su-pass > >> > > > >> > > ansible -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy= > >> > > http://127.0.0.1:31280 pkg install python' -u root -i > >> > >> > > -kS --ask-su-pass > >> > > > >> > > ansible -m shell -a "ntpdate " -kS > >> --ask-su-pass -i > >> > > > >> > > > >> > > from here on you should be able to start unbound and then ntpd eg > >> > > > >> > > ansible -m service -a "name=local_unbound state=restarted" > >> > > -kS --ask-su-pass -i > >> > > ansible -m service -a "name=ntpd state=restarted" -kS > >> --ask-su-pass -i > >> > > >> > > > >> > > Alternatively you could just relax your dnssec rules on first boot > >> to > >> > give > >> > > ntp a chance. Probably much easier 8) > >> > > >> > How I am do it? I am don't touch dnssec rules and don't know unbound. > >> > May be this is posible by startup scripts? > >> > Also, some platforms lack of CMOS time, RPi, for example. > >> > > >> > > Also make sure you are using the '-g' flag on ntpd > >> > > >> > Yes, I am add `ntpd_sync_on_start=yes` to rc.conf. > >> > I am suggest do it by checkbox in bsdinstall. > >> > > >> > > >> > > On 6 June 2016 at 14:50, Slawa Olhovchenkov wrote: > >> > > > >> > > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote: > >> > > > > >> > > > > Slawa Olhovchenkov writes: > >> > > > > > >> > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert > >> wrote: > >> > > > > > > >> > > > > >> Slawa Olhovchenkov writes: > >> > > > > >> > >> > > > > >> > Default install with local_unbound and ntpd can't be > >> functional > >> > with > >> > > > > >> > incorrect date/time in BIOS: > >> > > > > >> > > >> > > > > >> > Unbound requred correct time for DNSSEC check and refuseing > >> > queries > >> > > > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed > >> to > >> > prime > >> > > > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > >> > > > > >> > > >> > > > > >> > ntpd
Re: unbound and ntp issuse
running this at boot time may help as well unbound-control set_option val-permissive-mode: yes then after ntpd has started up run this unbound-control set_option val-permissive-mode: no Yes work around's, but work around's work by definition. On 7 June 2016 at 15:00, krad wrote: > it's a non solvable problem though as its a deadlock. You have to remove > one of the criteria in order to fix the issue automatically. > > On 7 June 2016 at 14:32, Slawa Olhovchenkov wrote: > >> On Tue, Jun 07, 2016 at 07:29:32AM -0600, Ian Lepore wrote: >> >> > On Tue, 2016-06-07 at 12:10 +0100, krad wrote: >> > > whops that should be >> > > >> > > ntpdate_hosts not servers >> > > >> > >> > These suggestions are essentially insane because they're ignoring the >> > basic fact that the freebsd installer creates a non-working system. If >> > unbound requires DNSSEC, and DNSSEC requires good time, and good time >> > requires hostname resolution, then that circular dependency is a >> > problem that the freebsd project needs to fix, not something to be >> > hacked around by each individual sysadmin. >> >> Exactly! This is may point! >> >> > It is a bit disturbing to me that the project members who created this >> > situation have been silent in the face of *months* of reporting of it >> > by several different users. >> > > ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
it's a non solvable problem though as its a deadlock. You have to remove one of the criteria in order to fix the issue automatically. On 7 June 2016 at 14:32, Slawa Olhovchenkov wrote: > On Tue, Jun 07, 2016 at 07:29:32AM -0600, Ian Lepore wrote: > > > On Tue, 2016-06-07 at 12:10 +0100, krad wrote: > > > whops that should be > > > > > > ntpdate_hosts not servers > > > > > > > These suggestions are essentially insane because they're ignoring the > > basic fact that the freebsd installer creates a non-working system. If > > unbound requires DNSSEC, and DNSSEC requires good time, and good time > > requires hostname resolution, then that circular dependency is a > > problem that the freebsd project needs to fix, not something to be > > hacked around by each individual sysadmin. > > Exactly! This is may point! > > > It is a bit disturbing to me that the project members who created this > > situation have been silent in the face of *months* of reporting of it > > by several different users. > ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
On Tue, 2016-06-07 at 12:10 +0100, krad wrote: > whops that should be > > ntpdate_hosts not servers > These suggestions are essentially insane because they're ignoring the basic fact that the freebsd installer creates a non-working system. If unbound requires DNSSEC, and DNSSEC requires good time, and good time requires hostname resolution, then that circular dependency is a problem that the freebsd project needs to fix, not something to be hacked around by each individual sysadmin. It is a bit disturbing to me that the project members who created this situation have been silent in the face of *months* of reporting of it by several different users. -- Ian > > On 7 June 2016 at 12:09, krad wrote: > > > something as simple as this thrown in /etc/periodic/daily/ would > > probably > > do it. > > > > #!/bin/sh > > ip=`dig pool.ntp.org +short | head -1' > > cp /etc/hosts /etc/hosts.old && > > sed -e "s/.*ntp-server/$ip ntp-server/" /etc/hosts.old > > > /etc/hosts > > > > > > with these lines in rc.conf > > ntpdate_enable=yes > > ntpdate_servers="ntp-server" > > > > > > > > > > > > On 7 June 2016 at 11:43, Slawa Olhovchenkov wrote: > > > > > On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote: > > > > > > > Like i said you could configure ntpdate as well as ntpd, but > > > > give it a > > > > known good ip. It will only run once at boot, and ntpd will > > > > start after > > > so > > > > that can use the nice pool names. > > > > > > > > A slightly better way maybe to give ntpdate a server hostname > > > > like > > > > ntp-server and populated the hosts file with one of the ips > > > > from > > > > pool.ntp.org. You could then have a periodic script to check > > > > and > > > update the > > > > ip in the hosts every day, so it works over a reboot. The ip > > > > would > > > > obviously have to have an initial seed value, but you could > > > > work this > > > out > > > > progmatically at system configuration time with tools like > > > > ansible. > > > > > > What purpose don't do it by standart scripts from base systems? > > > Enforcing DNSSEC must be prevent this strange works on all > > > systems > > > lack CMOS time. > > > > > > I am not expert in sh scripting for this automation. > > > > > > > On 7 June 2016 at 09:47, Slawa Olhovchenkov > > > > wrote: > > > > > > > > > On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote: > > > > > > > > > > > Well there is a deadlock situation there so you have to > > > > > > relax one > > > of the > > > > > > conditions, for one time at least. > > > > > > > > > > > > Your best bet is to do a manual ntpdate against a fixed ip > > > > > > of known > > > > > > goodness. If you have a lot of machines you need to do this > > > > > > on, use > > > > > ansible > > > > > > or similar to do the heavy lifting for you. Ansible is best > > > > > > in my > > > opinion > > > > > > if you dont have anything setup as its quick to get going. > > > > > > It does > > > > > require > > > > > > python on the target machines so you would need to install > > > > > > that > > > first. > > > > > > Something like the following should get it working (as you > > > > > > dont > > > have dns > > > > > on > > > > > > the target machine, package fetches wont work, so i would > > > > > > tunnel a > > > squid > > > > > > proxy and let that handle all the internet stuff. > > > > > > > > > > > > add something like the following to your ssh_config > > > > > > > > > > > > Host * > > > > > > RemoteForward 31280 squid_server:3128 > > > > > > > > > > > > then run some stuff like this (after installing ansible on > > > > > > your > > > > > > desktop/bastion host) > > > > > > > > > > > > ansible -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 > > > > > > http_proxy= > > > > > > http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root > > > > > > -i > > > > > > -kS --ask-su-pass > > > > > > > > > > > > ansible -b -m raw -a 'env ASSUME_ALWAYS_YES=YES > > > > > > http_proxy= > > > > > > http://127.0.0.1:31280 pkg install python' -u root -i > > > > > > > > > -kS --ask-su-pass > > > > > > > > > > > > ansible -m shell -a "ntpdate " -kS > > > --ask-su-pass -i > > > > > > > > > > > > > > > > > > from here on you should be able to start unbound and then > > > > > > ntpd eg > > > > > > > > > > > > ansible -m service -a "name=local_unbound state=restarted" > > > > > > -kS --ask-su-pass -i > > > > > > ansible -m service -a "name=ntpd state=restarted" -kS > > > --ask-su-pass -i > > > > > > > > > > > > > > > > > Alternatively you could just relax your dnssec rules on > > > > > > first boot > > > to > > > > > give > > > > > > ntp a chance. Probably much easier 8) > > > > > > > > > > How I am do it? I am don't touch dnssec rules and don't know > > > > > unbound. > > > > > May be this is posible by startup scripts? > > > > > Also, some platforms lack of CMOS time, RPi, for example. > > > > > > > > > > > Also make sure you are using the '-g' flag on ntpd > > > > > > > > > > Yes, I
Re: unbound and ntp issuse
On Tue, Jun 07, 2016 at 07:29:32AM -0600, Ian Lepore wrote: > On Tue, 2016-06-07 at 12:10 +0100, krad wrote: > > whops that should be > > > > ntpdate_hosts not servers > > > > These suggestions are essentially insane because they're ignoring the > basic fact that the freebsd installer creates a non-working system. If > unbound requires DNSSEC, and DNSSEC requires good time, and good time > requires hostname resolution, then that circular dependency is a > problem that the freebsd project needs to fix, not something to be > hacked around by each individual sysadmin. Exactly! This is may point! > It is a bit disturbing to me that the project members who created this > situation have been silent in the face of *months* of reporting of it > by several different users. ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
whops that should be ntpdate_hosts not servers On 7 June 2016 at 12:09, krad wrote: > something as simple as this thrown in /etc/periodic/daily/ would probably > do it. > > #!/bin/sh > ip=`dig pool.ntp.org +short | head -1' > cp /etc/hosts /etc/hosts.old && > sed -e "s/.*ntp-server/$ip ntp-server/" /etc/hosts.old > /etc/hosts > > > with these lines in rc.conf > ntpdate_enable=yes > ntpdate_servers="ntp-server" > > > > > > On 7 June 2016 at 11:43, Slawa Olhovchenkov wrote: > >> On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote: >> >> > Like i said you could configure ntpdate as well as ntpd, but give it a >> > known good ip. It will only run once at boot, and ntpd will start after >> so >> > that can use the nice pool names. >> > >> > A slightly better way maybe to give ntpdate a server hostname like >> > ntp-server and populated the hosts file with one of the ips from >> > pool.ntp.org. You could then have a periodic script to check and >> update the >> > ip in the hosts every day, so it works over a reboot. The ip would >> > obviously have to have an initial seed value, but you could work this >> out >> > progmatically at system configuration time with tools like ansible. >> >> What purpose don't do it by standart scripts from base systems? >> Enforcing DNSSEC must be prevent this strange works on all systems >> lack CMOS time. >> >> I am not expert in sh scripting for this automation. >> >> > On 7 June 2016 at 09:47, Slawa Olhovchenkov wrote: >> > >> > > On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote: >> > > >> > > > Well there is a deadlock situation there so you have to relax one >> of the >> > > > conditions, for one time at least. >> > > > >> > > > Your best bet is to do a manual ntpdate against a fixed ip of known >> > > > goodness. If you have a lot of machines you need to do this on, use >> > > ansible >> > > > or similar to do the heavy lifting for you. Ansible is best in my >> opinion >> > > > if you dont have anything setup as its quick to get going. It does >> > > require >> > > > python on the target machines so you would need to install that >> first. >> > > > Something like the following should get it working (as you dont >> have dns >> > > on >> > > > the target machine, package fetches wont work, so i would tunnel a >> squid >> > > > proxy and let that handle all the internet stuff. >> > > > >> > > > add something like the following to your ssh_config >> > > > >> > > > Host * >> > > > RemoteForward 31280 squid_server:3128 >> > > > >> > > > then run some stuff like this (after installing ansible on your >> > > > desktop/bastion host) >> > > > >> > > > ansible -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy= >> > > > http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i >> > > > -kS --ask-su-pass >> > > > >> > > > ansible -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy= >> > > > http://127.0.0.1:31280 pkg install python' -u root -i >> >> > > > -kS --ask-su-pass >> > > > >> > > > ansible -m shell -a "ntpdate " -kS >> --ask-su-pass -i >> > > > >> > > > >> > > > from here on you should be able to start unbound and then ntpd eg >> > > > >> > > > ansible -m service -a "name=local_unbound state=restarted" >> > > > -kS --ask-su-pass -i >> > > > ansible -m service -a "name=ntpd state=restarted" -kS >> --ask-su-pass -i >> > > > > > > > >> > > > Alternatively you could just relax your dnssec rules on first boot >> to >> > > give >> > > > ntp a chance. Probably much easier 8) >> > > >> > > How I am do it? I am don't touch dnssec rules and don't know unbound. >> > > May be this is posible by startup scripts? >> > > Also, some platforms lack of CMOS time, RPi, for example. >> > > >> > > > Also make sure you are using the '-g' flag on ntpd >> > > >> > > Yes, I am add `ntpd_sync_on_start=yes` to rc.conf. >> > > I am suggest do it by checkbox in bsdinstall. >> > > >> > > >> > > > On 6 June 2016 at 14:50, Slawa Olhovchenkov wrote: >> > > > >> > > > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote: >> > > > > >> > > > > > Slawa Olhovchenkov writes: >> > > > > > >> > > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert >> wrote: >> > > > > > > >> > > > > > >> Slawa Olhovchenkov writes: >> > > > > > >> >> > > > > > >> > Default install with local_unbound and ntpd can't be >> functional >> > > with >> > > > > > >> > incorrect date/time in BIOS: >> > > > > > >> > >> > > > > > >> > Unbound requred correct time for DNSSEC check and refuseing >> > > queries >> > > > > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed >> to >> > > prime >> > > > > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") >> > > > > > >> > >> > > > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf >> -- >> > > only >> > > > > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- >> can't >> > > > > > >> > resolve (see above, about DNSKEY). >> > > > > > >> >> > > > > > >> I can't see how this would happen. D
Re: unbound and ntp issuse
something as simple as this thrown in /etc/periodic/daily/ would probably do it. #!/bin/sh ip=`dig pool.ntp.org +short | head -1' cp /etc/hosts /etc/hosts.old && sed -e "s/.*ntp-server/$ip ntp-server/" /etc/hosts.old > /etc/hosts with these lines in rc.conf ntpdate_enable=yes ntpdate_servers="ntp-server" On 7 June 2016 at 11:43, Slawa Olhovchenkov wrote: > On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote: > > > Like i said you could configure ntpdate as well as ntpd, but give it a > > known good ip. It will only run once at boot, and ntpd will start after > so > > that can use the nice pool names. > > > > A slightly better way maybe to give ntpdate a server hostname like > > ntp-server and populated the hosts file with one of the ips from > > pool.ntp.org. You could then have a periodic script to check and update > the > > ip in the hosts every day, so it works over a reboot. The ip would > > obviously have to have an initial seed value, but you could work this out > > progmatically at system configuration time with tools like ansible. > > What purpose don't do it by standart scripts from base systems? > Enforcing DNSSEC must be prevent this strange works on all systems > lack CMOS time. > > I am not expert in sh scripting for this automation. > > > On 7 June 2016 at 09:47, Slawa Olhovchenkov wrote: > > > > > On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote: > > > > > > > Well there is a deadlock situation there so you have to relax one of > the > > > > conditions, for one time at least. > > > > > > > > Your best bet is to do a manual ntpdate against a fixed ip of known > > > > goodness. If you have a lot of machines you need to do this on, use > > > ansible > > > > or similar to do the heavy lifting for you. Ansible is best in my > opinion > > > > if you dont have anything setup as its quick to get going. It does > > > require > > > > python on the target machines so you would need to install that > first. > > > > Something like the following should get it working (as you dont have > dns > > > on > > > > the target machine, package fetches wont work, so i would tunnel a > squid > > > > proxy and let that handle all the internet stuff. > > > > > > > > add something like the following to your ssh_config > > > > > > > > Host * > > > > RemoteForward 31280 squid_server:3128 > > > > > > > > then run some stuff like this (after installing ansible on your > > > > desktop/bastion host) > > > > > > > > ansible -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy= > > > > http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i > > > > -kS --ask-su-pass > > > > > > > > ansible -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy= > > > > http://127.0.0.1:31280 pkg install python' -u root -i > > > > > -kS --ask-su-pass > > > > > > > > ansible -m shell -a "ntpdate " -kS > --ask-su-pass -i > > > > > > > > > > > > from here on you should be able to start unbound and then ntpd eg > > > > > > > > ansible -m service -a "name=local_unbound state=restarted" > > > > -kS --ask-su-pass -i > > > > ansible -m service -a "name=ntpd state=restarted" -kS --ask-su-pass > -i > > > > > > > > > > > Alternatively you could just relax your dnssec rules on first boot to > > > give > > > > ntp a chance. Probably much easier 8) > > > > > > How I am do it? I am don't touch dnssec rules and don't know unbound. > > > May be this is posible by startup scripts? > > > Also, some platforms lack of CMOS time, RPi, for example. > > > > > > > Also make sure you are using the '-g' flag on ntpd > > > > > > Yes, I am add `ntpd_sync_on_start=yes` to rc.conf. > > > I am suggest do it by checkbox in bsdinstall. > > > > > > > > > > On 6 June 2016 at 14:50, Slawa Olhovchenkov wrote: > > > > > > > > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote: > > > > > > > > > > > Slawa Olhovchenkov writes: > > > > > > > > > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote: > > > > > > > > > > > > > >> Slawa Olhovchenkov writes: > > > > > > >> > > > > > > >> > Default install with local_unbound and ntpd can't be > functional > > > with > > > > > > >> > incorrect date/time in BIOS: > > > > > > >> > > > > > > > >> > Unbound requred correct time for DNSSEC check and refuseing > > > queries > > > > > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to > > > prime > > > > > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > > > > > > >> > > > > > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- > > > only > > > > > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- > can't > > > > > > >> > resolve (see above, about DNSKEY). > > > > > > >> > > > > > > >> I can't see how this would happen. DNSSEC doesn't seem to be > > > required > > > > > in > > > > > > >> a regular install as far as I can see. Certainly I don't have > any > > > > > > > > > > > > > > I don't know reasson for enforcing DNSSEC in regular install. > > > > > > > I am just
Re: unbound and ntp issuse
On Tue, Jun 07, 2016 at 11:35:59AM +0100, krad wrote: > Like i said you could configure ntpdate as well as ntpd, but give it a > known good ip. It will only run once at boot, and ntpd will start after so > that can use the nice pool names. > > A slightly better way maybe to give ntpdate a server hostname like > ntp-server and populated the hosts file with one of the ips from > pool.ntp.org. You could then have a periodic script to check and update the > ip in the hosts every day, so it works over a reboot. The ip would > obviously have to have an initial seed value, but you could work this out > progmatically at system configuration time with tools like ansible. What purpose don't do it by standart scripts from base systems? Enforcing DNSSEC must be prevent this strange works on all systems lack CMOS time. I am not expert in sh scripting for this automation. > On 7 June 2016 at 09:47, Slawa Olhovchenkov wrote: > > > On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote: > > > > > Well there is a deadlock situation there so you have to relax one of the > > > conditions, for one time at least. > > > > > > Your best bet is to do a manual ntpdate against a fixed ip of known > > > goodness. If you have a lot of machines you need to do this on, use > > ansible > > > or similar to do the heavy lifting for you. Ansible is best in my opinion > > > if you dont have anything setup as its quick to get going. It does > > require > > > python on the target machines so you would need to install that first. > > > Something like the following should get it working (as you dont have dns > > on > > > the target machine, package fetches wont work, so i would tunnel a squid > > > proxy and let that handle all the internet stuff. > > > > > > add something like the following to your ssh_config > > > > > > Host * > > > RemoteForward 31280 squid_server:3128 > > > > > > then run some stuff like this (after installing ansible on your > > > desktop/bastion host) > > > > > > ansible -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy= > > > http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i > > > -kS --ask-su-pass > > > > > > ansible -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy= > > > http://127.0.0.1:31280 pkg install python' -u root -i > > > -kS --ask-su-pass > > > > > > ansible -m shell -a "ntpdate " -kS --ask-su-pass -i > > > > > > > > > from here on you should be able to start unbound and then ntpd eg > > > > > > ansible -m service -a "name=local_unbound state=restarted" > > > -kS --ask-su-pass -i > > > ansible -m service -a "name=ntpd state=restarted" -kS --ask-su-pass -i > > > > > > > > Alternatively you could just relax your dnssec rules on first boot to > > give > > > ntp a chance. Probably much easier 8) > > > > How I am do it? I am don't touch dnssec rules and don't know unbound. > > May be this is posible by startup scripts? > > Also, some platforms lack of CMOS time, RPi, for example. > > > > > Also make sure you are using the '-g' flag on ntpd > > > > Yes, I am add `ntpd_sync_on_start=yes` to rc.conf. > > I am suggest do it by checkbox in bsdinstall. > > > > > > > On 6 June 2016 at 14:50, Slawa Olhovchenkov wrote: > > > > > > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote: > > > > > > > > > Slawa Olhovchenkov writes: > > > > > > > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote: > > > > > > > > > > > >> Slawa Olhovchenkov writes: > > > > > >> > > > > > >> > Default install with local_unbound and ntpd can't be functional > > with > > > > > >> > incorrect date/time in BIOS: > > > > > >> > > > > > > >> > Unbound requred correct time for DNSSEC check and refuseing > > queries > > > > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to > > prime > > > > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > > > > > >> > > > > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- > > only > > > > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't > > > > > >> > resolve (see above, about DNSKEY). > > > > > >> > > > > > >> I can't see how this would happen. DNSSEC doesn't seem to be > > required > > > > in > > > > > >> a regular install as far as I can see. Certainly I don't have any > > > > > > > > > > > > I don't know reasson for enforcing DNSSEC in regular install. > > > > > > I am just select `local_unbound` at setup time and enter > > `127.0.0.1` as > > > > > > nameserver address. > > > > > > > > > > That's not enough to configure unbound as a fully recursive DNS > > > > > server. > > > > > > > > What I am missing? > > > > Need to fix unbound setup scripts? bsdinstall scripts? > > > > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and > > > > configured unbound as fully recursive DNS server. > > > > > > > > > If your system gets its address through DHCP, it is probably > > > > > getting DNS server addresses as well, and would work fine *without* > > your > > > > >
Re: unbound and ntp issuse
Like i said you could configure ntpdate as well as ntpd, but give it a known good ip. It will only run once at boot, and ntpd will start after so that can use the nice pool names. A slightly better way maybe to give ntpdate a server hostname like ntp-server and populated the hosts file with one of the ips from pool.ntp.org. You could then have a periodic script to check and update the ip in the hosts every day, so it works over a reboot. The ip would obviously have to have an initial seed value, but you could work this out progmatically at system configuration time with tools like ansible. On 7 June 2016 at 09:47, Slawa Olhovchenkov wrote: > On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote: > > > Well there is a deadlock situation there so you have to relax one of the > > conditions, for one time at least. > > > > Your best bet is to do a manual ntpdate against a fixed ip of known > > goodness. If you have a lot of machines you need to do this on, use > ansible > > or similar to do the heavy lifting for you. Ansible is best in my opinion > > if you dont have anything setup as its quick to get going. It does > require > > python on the target machines so you would need to install that first. > > Something like the following should get it working (as you dont have dns > on > > the target machine, package fetches wont work, so i would tunnel a squid > > proxy and let that handle all the internet stuff. > > > > add something like the following to your ssh_config > > > > Host * > > RemoteForward 31280 squid_server:3128 > > > > then run some stuff like this (after installing ansible on your > > desktop/bastion host) > > > > ansible -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy= > > http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i > > -kS --ask-su-pass > > > > ansible -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy= > > http://127.0.0.1:31280 pkg install python' -u root -i > > -kS --ask-su-pass > > > > ansible -m shell -a "ntpdate " -kS --ask-su-pass -i > > > > > > from here on you should be able to start unbound and then ntpd eg > > > > ansible -m service -a "name=local_unbound state=restarted" > > -kS --ask-su-pass -i > > ansible -m service -a "name=ntpd state=restarted" -kS --ask-su-pass -i > > > > > Alternatively you could just relax your dnssec rules on first boot to > give > > ntp a chance. Probably much easier 8) > > How I am do it? I am don't touch dnssec rules and don't know unbound. > May be this is posible by startup scripts? > Also, some platforms lack of CMOS time, RPi, for example. > > > Also make sure you are using the '-g' flag on ntpd > > Yes, I am add `ntpd_sync_on_start=yes` to rc.conf. > I am suggest do it by checkbox in bsdinstall. > > > > On 6 June 2016 at 14:50, Slawa Olhovchenkov wrote: > > > > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote: > > > > > > > Slawa Olhovchenkov writes: > > > > > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote: > > > > > > > > > >> Slawa Olhovchenkov writes: > > > > >> > > > > >> > Default install with local_unbound and ntpd can't be functional > with > > > > >> > incorrect date/time in BIOS: > > > > >> > > > > > >> > Unbound requred correct time for DNSSEC check and refuseing > queries > > > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to > prime > > > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > > > > >> > > > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- > only > > > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't > > > > >> > resolve (see above, about DNSKEY). > > > > >> > > > > >> I can't see how this would happen. DNSSEC doesn't seem to be > required > > > in > > > > >> a regular install as far as I can see. Certainly I don't have any > > > > > > > > > > I don't know reasson for enforcing DNSSEC in regular install. > > > > > I am just select `local_unbound` at setup time and enter > `127.0.0.1` as > > > > > nameserver address. > > > > > > > > That's not enough to configure unbound as a fully recursive DNS > > > > server. > > > > > > What I am missing? > > > Need to fix unbound setup scripts? bsdinstall scripts? > > > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and > > > configured unbound as fully recursive DNS server. > > > > > > > If your system gets its address through DHCP, it is probably > > > > getting DNS server addresses as well, and would work fine *without* > your > > > > configuring any of the DNS state. > > > > > > I am have static address and don't getting DNS server address. > > > > > > > >> problem on any of my systems, and I've never configured an anchor > on > > > the > > > > >> internal systems. > > > > >> > > > > >> > IMHO, ntp.conf need to include some numeric IP of public ntp > > > servers. > > > > >> > > > > >> Ouch; that's a terrible idea, for several different reasons. > > > > > > > > > > What else? > > > > > > > > All the normal reasons
Re: unbound and ntp issuse
On Tue, Jun 07, 2016 at 09:00:29AM +0100, krad wrote: > Well there is a deadlock situation there so you have to relax one of the > conditions, for one time at least. > > Your best bet is to do a manual ntpdate against a fixed ip of known > goodness. If you have a lot of machines you need to do this on, use ansible > or similar to do the heavy lifting for you. Ansible is best in my opinion > if you dont have anything setup as its quick to get going. It does require > python on the target machines so you would need to install that first. > Something like the following should get it working (as you dont have dns on > the target machine, package fetches wont work, so i would tunnel a squid > proxy and let that handle all the internet stuff. > > add something like the following to your ssh_config > > Host * > RemoteForward 31280 squid_server:3128 > > then run some stuff like this (after installing ansible on your > desktop/bastion host) > > ansible -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy= > http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i > -kS --ask-su-pass > > ansible -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy= > http://127.0.0.1:31280 pkg install python' -u root -i > -kS --ask-su-pass > > ansible -m shell -a "ntpdate " -kS --ask-su-pass -i > > > from here on you should be able to start unbound and then ntpd eg > > ansible -m service -a "name=local_unbound state=restarted" > -kS --ask-su-pass -i > ansible -m service -a "name=ntpd state=restarted" -kS --ask-su-pass -i > > Alternatively you could just relax your dnssec rules on first boot to give > ntp a chance. Probably much easier 8) How I am do it? I am don't touch dnssec rules and don't know unbound. May be this is posible by startup scripts? Also, some platforms lack of CMOS time, RPi, for example. > Also make sure you are using the '-g' flag on ntpd Yes, I am add `ntpd_sync_on_start=yes` to rc.conf. I am suggest do it by checkbox in bsdinstall. > On 6 June 2016 at 14:50, Slawa Olhovchenkov wrote: > > > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote: > > > > > Slawa Olhovchenkov writes: > > > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote: > > > > > > > >> Slawa Olhovchenkov writes: > > > >> > > > >> > Default install with local_unbound and ntpd can't be functional with > > > >> > incorrect date/time in BIOS: > > > >> > > > > >> > Unbound requred correct time for DNSSEC check and refuseing queries > > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime > > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > > > >> > > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only > > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't > > > >> > resolve (see above, about DNSKEY). > > > >> > > > >> I can't see how this would happen. DNSSEC doesn't seem to be required > > in > > > >> a regular install as far as I can see. Certainly I don't have any > > > > > > > > I don't know reasson for enforcing DNSSEC in regular install. > > > > I am just select `local_unbound` at setup time and enter `127.0.0.1` as > > > > nameserver address. > > > > > > That's not enough to configure unbound as a fully recursive DNS > > > server. > > > > What I am missing? > > Need to fix unbound setup scripts? bsdinstall scripts? > > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and > > configured unbound as fully recursive DNS server. > > > > > If your system gets its address through DHCP, it is probably > > > getting DNS server addresses as well, and would work fine *without* your > > > configuring any of the DNS state. > > > > I am have static address and don't getting DNS server address. > > > > > >> problem on any of my systems, and I've never configured an anchor on > > the > > > >> internal systems. > > > >> > > > >> > IMHO, ntp.conf need to include some numeric IP of public ntp > > servers. > > > >> > > > >> Ouch; that's a terrible idea, for several different reasons. > > > > > > > > What else? > > > > > > All the normal reasons that hard-coding IP addresses is a bad idea; they > > > can change, you're encouraging a lot of people to use the same ones, etc. > > > > And how to resolve this issuse: > > > > - default install with unbound as recursive DNS server (by default > > enforcing DNSSEC) > > - ntp time synchronisation > > - stale CMOS time (2008 year) > > ___ > > freebsd-stable@freebsd.org mailing list > > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" > > ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
Well there is a deadlock situation there so you have to relax one of the conditions, for one time at least. Your best bet is to do a manual ntpdate against a fixed ip of known goodness. If you have a lot of machines you need to do this on, use ansible or similar to do the heavy lifting for you. Ansible is best in my opinion if you dont have anything setup as its quick to get going. It does require python on the target machines so you would need to install that first. Something like the following should get it working (as you dont have dns on the target machine, package fetches wont work, so i would tunnel a squid proxy and let that handle all the internet stuff. add something like the following to your ssh_config Host * RemoteForward 31280 squid_server:3128 then run some stuff like this (after installing ansible on your desktop/bastion host) ansible -b -m raw -a '/usr/bin/env ASSUME_ALWAYS_YES=1 http_proxy= http://127.0.0.1:31280 /usr/sbin/pkg bootstrap -f' -u root -i -kS --ask-su-pass ansible -b -m raw -a 'env ASSUME_ALWAYS_YES=YES http_proxy= http://127.0.0.1:31280 pkg install python' -u root -i -kS --ask-su-pass ansible -m shell -a "ntpdate " -kS --ask-su-pass -i from here on you should be able to start unbound and then ntpd eg ansible -m service -a "name=local_unbound state=restarted" -kS --ask-su-pass -i ansible -m service -a "name=ntpd state=restarted" -kS --ask-su-pass -i wrote: > On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote: > > > Slawa Olhovchenkov writes: > > > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote: > > > > > >> Slawa Olhovchenkov writes: > > >> > > >> > Default install with local_unbound and ntpd can't be functional with > > >> > incorrect date/time in BIOS: > > >> > > > >> > Unbound requred correct time for DNSSEC check and refuseing queries > > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime > > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > > >> > > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only > > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't > > >> > resolve (see above, about DNSKEY). > > >> > > >> I can't see how this would happen. DNSSEC doesn't seem to be required > in > > >> a regular install as far as I can see. Certainly I don't have any > > > > > > I don't know reasson for enforcing DNSSEC in regular install. > > > I am just select `local_unbound` at setup time and enter `127.0.0.1` as > > > nameserver address. > > > > That's not enough to configure unbound as a fully recursive DNS > > server. > > What I am missing? > Need to fix unbound setup scripts? bsdinstall scripts? > As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and > configured unbound as fully recursive DNS server. > > > If your system gets its address through DHCP, it is probably > > getting DNS server addresses as well, and would work fine *without* your > > configuring any of the DNS state. > > I am have static address and don't getting DNS server address. > > > >> problem on any of my systems, and I've never configured an anchor on > the > > >> internal systems. > > >> > > >> > IMHO, ntp.conf need to include some numeric IP of public ntp > servers. > > >> > > >> Ouch; that's a terrible idea, for several different reasons. > > > > > > What else? > > > > All the normal reasons that hard-coding IP addresses is a bad idea; they > > can change, you're encouraging a lot of people to use the same ones, etc. > > And how to resolve this issuse: > > - default install with unbound as recursive DNS server (by default > enforcing DNSSEC) > - ntp time synchronisation > - stale CMOS time (2008 year) > ___ > freebsd-stable@freebsd.org mailing list > https://lists.freebsd.org/mailman/listinfo/freebsd-stable > To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org" > ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
On Mon, Jun 06, 2016 at 09:33:02AM -0400, Lowell Gilbert wrote: > Slawa Olhovchenkov writes: > > > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote: > > > >> Slawa Olhovchenkov writes: > >> > >> > Default install with local_unbound and ntpd can't be functional with > >> > incorrect date/time in BIOS: > >> > > >> > Unbound requred correct time for DNSSEC check and refuseing queries > >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime > >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > >> > > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only > >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't > >> > resolve (see above, about DNSKEY). > >> > >> I can't see how this would happen. DNSSEC doesn't seem to be required in > >> a regular install as far as I can see. Certainly I don't have any > > > > I don't know reasson for enforcing DNSSEC in regular install. > > I am just select `local_unbound` at setup time and enter `127.0.0.1` as > > nameserver address. > > That's not enough to configure unbound as a fully recursive DNS > server. What I am missing? Need to fix unbound setup scripts? bsdinstall scripts? As I see unbound setup scripts detects 127.0.0.1 in resolv.conf and configured unbound as fully recursive DNS server. > If your system gets its address through DHCP, it is probably > getting DNS server addresses as well, and would work fine *without* your > configuring any of the DNS state. I am have static address and don't getting DNS server address. > >> problem on any of my systems, and I've never configured an anchor on the > >> internal systems. > >> > >> > IMHO, ntp.conf need to include some numeric IP of public ntp servers. > >> > >> Ouch; that's a terrible idea, for several different reasons. > > > > What else? > > All the normal reasons that hard-coding IP addresses is a bad idea; they > can change, you're encouraging a lot of people to use the same ones, etc. And how to resolve this issuse: - default install with unbound as recursive DNS server (by default enforcing DNSSEC) - ntp time synchronisation - stale CMOS time (2008 year) ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
Slawa Olhovchenkov writes: > On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote: > >> Slawa Olhovchenkov writes: >> >> > Default install with local_unbound and ntpd can't be functional with >> > incorrect date/time in BIOS: >> > >> > Unbound requred correct time for DNSSEC check and refuseing queries >> > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime >> > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") >> > >> > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only >> > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't >> > resolve (see above, about DNSKEY). >> >> I can't see how this would happen. DNSSEC doesn't seem to be required in >> a regular install as far as I can see. Certainly I don't have any > > I don't know reasson for enforcing DNSSEC in regular install. > I am just select `local_unbound` at setup time and enter `127.0.0.1` as > nameserver address. That's not enough to configure unbound as a fully recursive DNS server. If your system gets its address through DHCP, it is probably getting DNS server addresses as well, and would work fine *without* your configuring any of the DNS state. >> problem on any of my systems, and I've never configured an anchor on the >> internal systems. >> >> > IMHO, ntp.conf need to include some numeric IP of public ntp servers. >> >> Ouch; that's a terrible idea, for several different reasons. > > What else? All the normal reasons that hard-coding IP addresses is a bad idea; they can change, you're encouraging a lot of people to use the same ones, etc. ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
On Fri, Jun 03, 2016 at 02:34:18PM -0400, Lowell Gilbert wrote: > Slawa Olhovchenkov writes: > > > Default install with local_unbound and ntpd can't be functional with > > incorrect date/time in BIOS: > > > > Unbound requred correct time for DNSSEC check and refuseing queries > > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime > > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > > > > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only > > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't > > resolve (see above, about DNSKEY). > > I can't see how this would happen. DNSSEC doesn't seem to be required in > a regular install as far as I can see. Certainly I don't have any I don't know reasson for enforcing DNSSEC in regular install. I am just select `local_unbound` at setup time and enter `127.0.0.1` as nameserver address. > problem on any of my systems, and I've never configured an anchor on the > internal systems. > > > IMHO, ntp.conf need to include some numeric IP of public ntp servers. > > Ouch; that's a terrible idea, for several different reasons. What else? ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
Re: unbound and ntp issuse
Slawa Olhovchenkov writes: > Default install with local_unbound and ntpd can't be functional with > incorrect date/time in BIOS: > > Unbound requred correct time for DNSSEC check and refuseing queries > ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime > trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") > > ntpd don't have any numeric IP of ntp servers in ntp.conf -- only > symbolic names like 0.freebsd.pool.ntp.org, as result -- can't > resolve (see above, about DNSKEY). I can't see how this would happen. DNSSEC doesn't seem to be required in a regular install as far as I can see. Certainly I don't have any problem on any of my systems, and I've never configured an anchor on the internal systems. > IMHO, ntp.conf need to include some numeric IP of public ntp servers. Ouch; that's a terrible idea, for several different reasons. ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"
unbound and ntp issuse
Default install with local_unbound and ntpd can't be functional with incorrect date/time in BIOS: Unbound requred correct time for DNSSEC check and refuseing queries ("Jul 1 20:17:29 yellowrat unbound: [3444:0] info: failed to prime trust anchor -- DNSKEY rrset is not secure . DNSKEY IN") ntpd don't have any numeric IP of ntp servers in ntp.conf -- only symbolic names like 0.freebsd.pool.ntp.org, as result -- can't resolve (see above, about DNSKEY). IMHO, ntp.conf need to include some numeric IP of public ntp servers. # date Tue Jul 1 20:36:31 MSD 2008 ___ freebsd-stable@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-stable To unsubscribe, send any mail to "freebsd-stable-unsubscr...@freebsd.org"