I have a feeling you have something personal against me, but cannot
remember we ever discussed. Your responses seem to me a bit over-reacted
and I do not understand why. More below.
On 20. 04. 23 1:24, Fred Morris via Unbound-users wrote:
"Pulling yourself up by your bootstraps" is never going to be pretty,
although it can be entertaining (I'm picturing Jerry Lewis or Dick Van
Dyke on the Carol Burnett show).
I don't follow, do not care about actors name in TV shows anyway.
On Wed, 19 Apr 2023, Petr Menšík via Unbound-users wrote:
If you add this into /etc/hosts, then you could instead just use
fixed address(es) in NTP service instead of a name. The use of DNS is
good, because you can change it on server only and clients will
notice that soon.
If you hardcode IP address or address for the name, then there is no
reason to use the name anymore. A comment above IP addresses would be
just as good.
There are clearly options. 8)
There always are.
On 16. 04. 23 15:43, tito via Unbound-users wrote:
On Sun, 16 Apr 2023 09:19:13 -0400
James Cloos via Unbound-users <unbound-users@lists.nlnetlabs.nl>
wrote:
"FMvU" == Fred Morris via Unbound-users
<unbound-users@lists.nlnetlabs.nl> writes:
FMvU> This is where it starts to go off the rails for me. I mean:
where?
FMvU> Someplace which is neither configured a fixed address or
FMvU> provisioned
FMvU> with DHCP... and yet is connected to the internet: where is
that?
he means a fixed ip for the ntp server, not for the client.
-JimC
Hi,
couldn't this be added to /etc/hosts?
DNSSEC requires accurate time (as does TSIG). Without going into the
sprawling, messy details (they're everywhere!) it's because The DNS is
a global resource.
DNS the protocol, operating locally in a controlled environment,
arguably doesn't need DNSSEC at all. Today. Not yesterday. Today; and
tomorrow. (Not sure about the day after that.)
I do not agree with your result. I think DNSSEC can be useful even on
end devices like laptops, maybe even phones. Already, today. But I admit
preparing system to have DNSSec enabled by default has its challenges.
Especially broken forwarders are still not rare enough. I think DANE can
still be useful on common end devices. Therefore I am looking for way to
make it possible. Do not want to enforce it anywhere, just possible.
Bootstrapping is a messy thing, and it often requires doing things at
one stage which are countermanded / replaced / nullified at a later
stage. Like that keyboard, or a disk, or network card, needing a
driver loaded before the "real" boot.
In a containerized environment, /etc/hosts could indeed be edited in
the image by the host OS prior to booting the image. OTOH it could
certainly have an initial value which points to a local resource to
start with. Lots of options here, some much more complicated or
sophisticated (not interested in saying anything here is a "problem"
thereby in need of a patented "solution").
I doubt containerized environment need to solve time setting, because
the host is responsible to provide it. Makes sense it has done it well
enough before starting any containers. Also the host should be doing dns
cache, not every container, IMHO. It seems to me you are referring more
to server world, where I am looking more at end user devices systems.
I helped build a malware sandbox which ran malware which was most def
interested in learning as much as possible about its operating
environment. Needless to say, we were successful. We did it with
adversarial payloads, and you (generic traditional rhetorical plural)
can't do it when presented with an environment which is purpose built
to help you succeed? I find it puzzling... at least, excepting
misfeasance and malfeasance.
I am afraid I do not follow here.
I still want to understand more about "what boot environment does
this?" but this is not a DNS question. I totally get that a device
could boot a real OS without having a real clock. Why can't someone
propose a real environment as a reference model to center and pin this
discussion?
--
Fred Morris
Take an example of Fedora distribution image prepared to run on
Raspberry PI device. Let's say I would like to use that device as a ssh
terminal and I would like to have SSHFP records validated (where
possible). Instead of systemd-resolved I would like unbound as a system
cache, but with booting race conditions solved from the vendor already.
So there is just minimal steps to do on my side as an user. Ideally it
would boot from live DVD alternative without me changing anything.
Similarly when I boot live DVD on a fresh bought laptop, where lets
imagine DNSSEC validation is enabled by default. I want to boot into
graphical interface without having to ever visit BIOS to set the date, I
expect it can fix it itself. All I need to do is plug in the network cable.
Regards,
Petr
--
Petr Menšík
Software Engineer, RHEL
Red Hat, http://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB
