Re: ntpdate(8) and unbound(8) dependencies during boot

[Sad Clouds <cryintothebluesky%gmail.com@localhost>]

On Sun, 11 Oct 2020 09:40:36 -0400
Greg Troxel <gdt%lexort.com@localhost> wrote:

> So, this is a request to explain how a 'default install' has this
> problem, or to clarify the problem statement.

Well NetBSD-9 comes with "unbound" which is supposed to replace "bind"
as a recursive/caching name server. If you care about security, then
you will always use DNSSEC and DoT, which (in my opinion) should be
configured by default. Think of it as http vs https and how most people
are now using https by default. Whether NetBSD default install
configures those features, is a completely different matter.

There is a known issue (which is not exclusive to NetBSD, nor to
unbound) that revolves around a circular dependency with ntpdate/ntpd
and DNSSEC. There are several ways to work around this issue. The fact
that NetBSD does not enable DNSSEC by default, should not preclude it
from implementing or documenting a work around.

The default install is relying on "XXX.netbsd.pool.ntp.org" hostnames
in /etc/ntp.conf for both ntpdate and ntpd. This fails to work
correctly when two conditions occur at the same time:
a) DNSSEC is used and
b) System time is incorrect

as hostnames cannot be resolved, due to DNSSEC signature validation
failures, I think.

This failure is not very obvious and only noticeable when system time
is wrong by some specific value, which depends on the configuration of
the name server (could be minutes or hours or days).

Ideally ntpdate/ntpd should have a backup list of servers that are not
hostnames, but IP addresses and don't require functioning DNS. If this
can be automated via rc scripts, then it's one less thing to remember
for NetBSD users. Could be as simple as adding a few stable IP addresses
to /etc/ntp.conf and then marking hostnames as "prefer".