Re: Using NTP

[Steve Rikli <sr%genyosha.net@localhost>]

On Sat, Nov 23, 2024 at 10:55:35AM +0100, Havard Eidnes wrote:
> > From /var/run/rc.log:
> >
> > [running /etc/rc.d/ntpdate]
> > Setting date via ntp.
> > Exiting, name server cannot be used: Temporary failure in name
> > resolution (2)/etc/rc.d/ntpdate exited with code 1
> > 
> > From /etc/rc.conf:
> > 
> > ntpd=YES             ## 'ntp' == Network TIME Protocal
> > ntpdate=YES      ntpdate_hosts="2.netbsd.pool.ntp.org"
> >
> > What is wrong with these lines in rc.conf ??
> 
> They create a circular dependency.
> 
> DNS name resolution these days in many cases rely on DNSSEC.
> xDNSSEC depends on a semi-accurate local clock on your DNS
> recursive server, and if that is "yourself", something you don't
> have if your battery cell for your real-time clock chip is toast.
> If you don't have semi-accurate time already, you will get DNS
> name lookup errors (SERVFAIL, typically), and ntpdate ends up not
> being able to set the clock to fix the underlying issue for the
> DNS lookups.
> 
> In many cases I use IP addresses in ntp.conf but obviously you
> can just supply a list of IP addresses in ntpdata_hosts as well
> if you prefer to break the circular dependency.

It's also worth mentioning that /etc/rc.d/ntpdate will parse
/etc/ntp.conf for servers to use, so it's essentially redundant to
configure the same NTP servers in ntp.conf and /etc/rc.conf
ntpdate_hosts.

So, if you run into the DNSSEC issue he@ describes, a workaround
could be setting an IP address in ntpdate_hosts and different NTP
servers in /etc/ntp.conf (if not using the default NetBSD servers
pool). Or, as he@ also mentioned, use IP addresses only in ntp.conf.

Cheers,
sr.