[Pool] Pool, time, DNSSEC and startup catch-22

Chris Kuethe chris.kuethe at gmail.com
Tue May 28 23:35:24 UTC 2013


Can you autogenerate a bootstrap config/script based on the contents of
http://tf.nist.gov/tf-cgi/servers.cgi


On Tue, May 28, 2013 at 9:00 AM, Phil Pennock <ntp-pool-phil at spodhuis.org>wrote:

> Folks, after a tree-induced power & ISP connectivity outage, my router
> decided that the date/time was April 1st.  Well, at least it got the
> year right.
>
> To fix this, it tried to bring up time using 0-3 in
> openwrt.pool.ntp.org.  Reasonable enough.  I also use Unbound, for
> DNSSEC validation.
>
> Because time was so far off, I couldn't resolve the hostnames needed to
> get the IP addresses to sync against.
>
> When I've run servers with NTP, I always hard-coded IPs, while complying
> with stated policies for client usage of a given server, and tracked
> changes; this was necessary for the hole-opening `restrict` rules
> anyway, and useful for avoiding such glitches.  In this case, it's a
> home router and I'm using the pool project servers.
>
> I understand that the *.pool.ntp.org hostnames are more dynamic and it's
> very much frowned upon to hardcode these names.
>
> How do folks here, providing this public service, feel about a tool
> which can be run from cron, resolves the IPs periodically and puts them
> live in a local unvalidated (".lan") zone and/or rewrites config files,
> so that the hostnames are dynamic at a resolution of about a day, but
> resolvable without needing accurate time?
>
> Otherwise, as DNSSEC becomes more prevalent, I think that this catch-22
> will bite harder: to set time, you need DNS to resolve the hostnames,
> but DNS under .org requires accurate time to avoid failures of
> resolution when finding the TLD NS servers, so we can't resolve the
> timeserver hostnames.
>
> I'm willing to post code for review; it'll be Python, geared towards my
> OpenWRT Backfire system.
>
> Thanks,
> -Phil
> _______________________________________________
> pool mailing list
> pool at lists.ntp.org
> http://lists.ntp.org/listinfo/pool
>



-- 
GDB has a 'break' feature; why doesn't it have 'fix' too?
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.ntp.org/pipermail/pool/attachments/20130528/c1850218/attachment.html>


More information about the pool mailing list