Yes, something like that should work. But I think we lack some systemd
target, which would announce the time is already synchronized. Then some
single-run service could have
After=time-set.target
After=unbound.service
ExecStartPost=unbound-control insecure_del ntp.pool.org
ExecStartPost=unbound-control flush_zone ntp.pool.org
Without guessing by dig it is already reachable. But yes, something like
that should work.
I think it may make sense to have unbound-control flush_validate
command. After I remove insecure flag to ntp.pool.org, I could just
request revalidation of that that name. If anything under it were
signed, but did not pass validation before or now, just flush such
records. In most cases the data are already good, just have to be
validated and marked secure. It could avoid innecessary new query for
the same thing.
On 17. 04. 23 15:45, Paul Wouters wrote:
On Sun, 16 Apr 2023, Petr Menšík via Unbound-users wrote:
Like many other systems, Fedora tries to use chrony service to use
NTP to synchronize and correct the time. Problem is unless the user
has configured fixed IP or NTP servers were provided by DHCP, it
needs to do DNS resolution. Fedora uses 2.fedora.pool.ntp.org.
ntp.org is not signed, but org. has to pass validation. It will never
success if the date is wrong and the cache is already up, therefore
the system relies on it.
I think it is a technical problem there is dependency loop. DNSSEC
needs at least roughly correct time in for unbound (or any validating
resolver) to deliver IP for NTP server.
From a very practical point of view you can change the chrony service
file and use something like
ExecStartPre=unbound-control insecure_add ntp.pool.org
ExecStartPost=dig ntp.pool.org
ExecStartPost=unbound-control insecure_del ntp.pool.org
ExecStartPost=unbound-control flush_zone ntp.pool.org
Paul
--
Petr Menšík
Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
