NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ntpdate(8) and unbound(8) dependencies during boot

On Oct 11, 16:47, Sad Clouds wrote:
} On Sun, 11 Oct 2020 09:40:36 -0400 Greg Troxel <> wrote:
} > So, this is a request to explain how a 'default install' has this
} > problem, or to clarify the problem statement.
} Well NetBSD-9 comes with "unbound" which is supposed to replace "bind"

     unbound is a caching resolver, it does not replace BIND.

} as a recursive/caching name server. If you care about security, then

     However, NetBSD-9 also comes with nsd which is a full fledged
name server.  As for myself, I have complex BIND configs that take
advantage of a number of advanced features, so I have no intention
of switching.

} you will always use DNSSEC and DoT, which (in my opinion) should be
} configured by default. Think of it as http vs https and how most people
} are now using https by default. Whether NetBSD default install
} configures those features, is a completely different matter.

     I actually think the overuse of https is problematic, but
that's a different issue.

     I don't see a default config for unbound or nsd.  However,
the default config for BIND does enable DNSSEC (note that you still
have to deal with certificates and keys for domains for which you
are authoritative, although current versions have a lot of tools
to assist you).  Unfortunately, BIND does not currently support
DoT out of the box (the recommended solution is to use stunnel).
However, 9.18 expected in Q2 next year will have support.

     Out of the box, none of unbound, nsd, or BIND are enabled by

} There is a known issue (which is not exclusive to NetBSD, nor to
} unbound) that revolves around a circular dependency with ntpdate/ntpd
} and DNSSEC. There are several ways to work around this issue. The fact
} that NetBSD does not enable DNSSEC by default, should not preclude it
} from implementing or documenting a work around.

     As noted, NetBSD does not have any kind of DNS support setup
by default.  However, if you enable BIND and point your system at
it, then you will get DNSSEC support.

}-- End of excerpt from Sad Clouds

Home | Main Index | Thread Index | Old Index