On Sun, 16 Apr 2023, Petr Menšík via Unbound-users wrote:

Like many other systems, Fedora tries to use chrony service to use NTP to synchronize and correct the time. Problem is unless the user has configured fixed IP or NTP servers were provided by DHCP, it needs to do DNS resolution. Fedora uses 2.fedora.pool.ntp.org. ntp.org is not signed, but org. has to pass validation. It will never success if the date is wrong and the cache is already up, therefore the system relies on it.

I think it is a technical problem there is dependency loop. DNSSEC needs at least roughly correct time in for unbound (or any validating resolver) to deliver IP for NTP server.

From a very practical point of view you can change the chrony service
file and use something like

ExecStartPre=unbound-control insecure_add ntp.pool.org

ExecStartPost=dig ntp.pool.org
ExecStartPost=unbound-control insecure_del ntp.pool.org
ExecStartPost=unbound-control flush_zone ntp.pool.org

Paul

Reply via email to