NetBSD-Users archive

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]

Re: ntpdate(8) and unbound(8) dependencies during boot

On 2020-10-15 00:55, Sad Clouds wrote:
On Wed, 14 Oct 2020 16:28:22 -0700
Jordan Geoghegan <> wrote:

1) Have ntp daemon check various trusted http/https servers at boot
to sanity check our clock and NTP data (no DNS needed, fall back to
HTTP only if clock is too broken to negotiate TLS)

2) Enjoy not having everything break on boot due to unfortunate lack
of RTC


Hi, you say working DNS is not needed, so are you saying that OpenBSD
default ntpd config comes with a set of static IP addresses that point
to NTP servers running via https protocol?

Not exactly, there are no NTP servers running over HTTP, it's a similar concept to the tlsdate util [1].

Basically all it's doing is extracting datestamps from the handshakes with the web servers, and comparing it to the data it's receiving via NTP (if any).

What's nice about this, is that because of DNS over HTTPS, there's a number of highly available IP endpoints that have had TLS certs issued to them, such as Quad9's and Cloudflare's, etc

By having all this fancy footwork done in one daemon (ntpd), it avoids having to mess around with individual daemons like unbound in a vain attempt to cope with broken clocks.

None of this is in any RFC, and may very well break in the future, but at least it's a working solution for right now until the big brains can engineer a proper, purpose-built solution.




Home | Main Index | Thread Index | Old Index