[Pool] Pool, time, DNSSEC and startup catch-22

Mouse mouse at Rodents-Montreal.ORG
Tue May 28 22:31:56 UTC 2013


> Because time was so far off, I couldn't resolve the hostnames needed
> to get the IP addresses to sync against.

Surely the right thing to do here is to not try to enable any
facilities which depend on the time being right until the time is known
to be right?

In particular, it seem to me that, if DNSSEC verification depends on
having accurate time, resolution before the time is set should not be
attempting DNSSEC verification.

> How do folks here, providing this public service, feel about a tool
> which can be run from cron, resolves the IPs periodically and puts
> them live in a local unvalidated (".lan") zone and/or rewrites config
> files, so that the hostnames are dynamic at a resolution of about a
> day, but resolvable without needing accurate time?

You still have trouble if your connectivity happens to be broken at
reboot time.  I really think a better answer is to fix the problem, not
paper over this particular manifestation of it.

But that's armchair quarterbacking.

/~\ The ASCII				  Mouse
\ / Ribbon Campaign
 X  Against HTML		mouse at rodents-montreal.org
/ \ Email!	     7D C8 61 52 5D E7 2D 39  4E F1 31 3E E8 B3 27 4B


More information about the pool mailing list