On Sun, 16 Apr 2023, Petr Menšík via Unbound-users wrote:
Like many other systems, Fedora tries to use chrony service to use NTP to
synchronize and correct the time. Problem is unless the user has configured
fixed IP or NTP servers were provided by DHCP, it needs to do DNS resolution.
Fedora uses 2.fedora.pool.ntp.org. ntp.org is not signed, but org. has to
pass validation. It will never success if the date is wrong and the cache is
already up, therefore the system relies on it.
I think it is a technical problem there is dependency loop. DNSSEC needs at
least roughly correct time in for unbound (or any validating resolver) to
deliver IP for NTP server.
From a very practical point of view you can change the chrony service
file and use something like
ExecStartPre=unbound-control insecure_add ntp.pool.org
ExecStartPost=dig ntp.pool.org
ExecStartPost=unbound-control insecure_del ntp.pool.org
ExecStartPost=unbound-control flush_zone ntp.pool.org
Paul