[Pool] Pool, time, DNSSEC and startup catch-22

Kenyon Ralph kenyon at kenyonralph.com
Tue May 28 22:35:52 UTC 2013

On 2013-05-28T12:00:31-0400, Phil Pennock <ntp-pool-phil at spodhuis.org> wrote:
> Folks, after a tree-induced power & ISP connectivity outage, my router
> decided that the date/time was April 1st.  Well, at least it got the
> year right.
> To fix this, it tried to bring up time using 0-3 in
> openwrt.pool.ntp.org.  Reasonable enough.  I also use Unbound, for
> DNSSEC validation.
> Because time was so far off, I couldn't resolve the hostnames needed to
> get the IP addresses to sync against.
> When I've run servers with NTP, I always hard-coded IPs, while complying
> with stated policies for client usage of a given server, and tracked
> changes; this was necessary for the hole-opening `restrict` rules
> anyway, and useful for avoiding such glitches.  In this case, it's a
> home router and I'm using the pool project servers.
> I understand that the *.pool.ntp.org hostnames are more dynamic and it's
> very much frowned upon to hardcode these names.
> How do folks here, providing this public service, feel about a tool
> which can be run from cron, resolves the IPs periodically and puts them
> live in a local unvalidated (".lan") zone and/or rewrites config files,
> so that the hostnames are dynamic at a resolution of about a day, but
> resolvable without needing accurate time?
> Otherwise, as DNSSEC becomes more prevalent, I think that this catch-22
> will bite harder: to set time, you need DNS to resolve the hostnames,
> but DNS under .org requires accurate time to avoid failures of
> resolution when finding the TLD NS servers, so we can't resolve the
> timeserver hostnames.

I've experienced the same issue, and my solution is to hardcode the
IPv4 and IPv6 addresses of my Linode (which also is in the pool) into
my OpenWrt routers, in addition to using openwrt.pool.ntp.org.

Maybe you can do the same, picking an appropriate server from
https://support.ntp.org/bin/view/Servers/StratumTwoTimeServers if you
don't have your own off-site machine with a static address?

Otherwise, as a pool server operator, I'd be fine with such a dynamic
config-writing tool as you describe.

Kenyon Ralph
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: Digital signature
URL: <http://lists.ntp.org/pipermail/pool/attachments/20130528/ed7e4564/attachment.sig>

More information about the pool mailing list