[Pool] Pool, time, DNSSEC and startup catch-22

Phil Pennock ntp-pool-phil at spodhuis.org
Tue May 28 16:00:31 UTC 2013

Folks, after a tree-induced power & ISP connectivity outage, my router
decided that the date/time was April 1st.  Well, at least it got the
year right.

To fix this, it tried to bring up time using 0-3 in
openwrt.pool.ntp.org.  Reasonable enough.  I also use Unbound, for
DNSSEC validation.

Because time was so far off, I couldn't resolve the hostnames needed to
get the IP addresses to sync against.

When I've run servers with NTP, I always hard-coded IPs, while complying
with stated policies for client usage of a given server, and tracked
changes; this was necessary for the hole-opening `restrict` rules
anyway, and useful for avoiding such glitches.  In this case, it's a
home router and I'm using the pool project servers.

I understand that the *.pool.ntp.org hostnames are more dynamic and it's
very much frowned upon to hardcode these names.

How do folks here, providing this public service, feel about a tool
which can be run from cron, resolves the IPs periodically and puts them
live in a local unvalidated (".lan") zone and/or rewrites config files,
so that the hostnames are dynamic at a resolution of about a day, but
resolvable without needing accurate time?

Otherwise, as DNSSEC becomes more prevalent, I think that this catch-22
will bite harder: to set time, you need DNS to resolve the hostnames,
but DNS under .org requires accurate time to avoid failures of
resolution when finding the TLD NS servers, so we can't resolve the
timeserver hostnames.

I'm willing to post code for review; it'll be Python, geared towards my
OpenWRT Backfire system.


More information about the pool mailing list