Jason Mitchell <jar%bigjar.com@localhost> writes:
> Doesn't NTP refuse to start if the time difference is too great? 47
> days would definitely qualify (the max change is a few hours). If so,
> then running ntpdate before NTP will fix that problem.
I think You are correct, and I should have said that. I have rc.conf as
ntpdate=YES
ntpd=YES
ntpd_chrootdir="/var/chroot/ntpd"
As I hinted at earlier, I found I had to turn off dnssec for machines
that were off for a long time, if one configures NTP servers by domain
name, such as pools. I changed
dnssec-enable no;
dnssec-validation no;
and named.conf has a hint.
I then decided to just hard-code some preferred NTP peers IP addresses
in ntp.conf, and that works without dnssec working, and once the time is
right dnssec is ok again.
This only happened to me when something happened to a remote RPI3 and it
was powered off for a few weeks until I was able to visit and recover
it.
The moral of the story is that computers that run UNIX should have an
RTC because certificate validation, which requires time, is now a normal
part of operations.
Attachment:
signature.asc
Description: PGP signature