Re: ntpdate(8) and unbound(8) dependencies during boot

To: Sad Clouds <cryintothebluesky%gmail.com@localhost>, Greg Troxel <gdt%lexort.com@localhost>
Subject: Re: ntpdate(8) and unbound(8) dependencies during boot
From: John Nemeth <jnemeth%cue.bc.ca@localhost>
Date: Sun, 11 Oct 2020 15:46:02 -0700

On Oct 11, 16:47, Sad Clouds wrote:
} On Sun, 11 Oct 2020 09:40:36 -0400 Greg Troxel <gdt%lexort.com@localhost> wrote:
} 
} > So, this is a request to explain how a 'default install' has this
} > problem, or to clarify the problem statement.
} 
} Well NetBSD-9 comes with "unbound" which is supposed to replace "bind"

     unbound is a caching resolver, it does not replace BIND.

} as a recursive/caching name server. If you care about security, then

     However, NetBSD-9 also comes with nsd which is a full fledged
name server.  As for myself, I have complex BIND configs that take
advantage of a number of advanced features, so I have no intention
of switching.

} you will always use DNSSEC and DoT, which (in my opinion) should be
} configured by default. Think of it as http vs https and how most people
} are now using https by default. Whether NetBSD default install
} configures those features, is a completely different matter.

     I actually think the overuse of https is problematic, but
that's a different issue.

     I don't see a default config for unbound or nsd.  However,
the default config for BIND does enable DNSSEC (note that you still
have to deal with certificates and keys for domains for which you
are authoritative, although current versions have a lot of tools
to assist you).  Unfortunately, BIND does not currently support
DoT out of the box (the recommended solution is to use stunnel).
However, 9.18 expected in Q2 next year will have support.

     Out of the box, none of unbound, nsd, or BIND are enabled by
default.

} There is a known issue (which is not exclusive to NetBSD, nor to
} unbound) that revolves around a circular dependency with ntpdate/ntpd
} and DNSSEC. There are several ways to work around this issue. The fact
} that NetBSD does not enable DNSSEC by default, should not preclude it
} from implementing or documenting a work around.

     As noted, NetBSD does not have any kind of DNS support setup
by default.  However, if you enable BIND and point your system at
it, then you will get DNSSEC support.

}-- End of excerpt from Sad Clouds

Follow-Ups:
- Re: ntpdate(8) and unbound(8) dependencies during boot
  - From: Sad Clouds

Prev by Date: Re: ntpdate(8) and unbound(8) dependencies during boot
Next by Date: Re: ntpdate(8) and unbound(8) dependencies during boot
Previous by Thread: Re: ntpdate(8) and unbound(8) dependencies during boot
Next by Thread: Re: ntpdate(8) and unbound(8) dependencies during boot
Indexes:

Home | Main Index | Thread Index | Old Index