Bug #205

Router clock (NTP/DNS issues)

Added by steve fox almost 2 years ago. Updated about 1 year ago.

Status:New Start date:07/13/2011
Priority:Urgent Due date:
Assignee:- % Done:

0%
Category:- Spent time: 10.00 hours
Target version:Cerowrt-Next

Description

NTP and DNS still seem to have circular dependencies.
All times fail and stay failed after network failure.

Related issues

duplicates Cerowrt - Bug #113: circular dependency on time in DNS New 05/05/2011

History

#1
Updated by Dave Täht almost 2 years ago

  • Priority changed from Normal to Urgent
  • Target version set to 1st Public Cerowrt release
  1. We have a terrible circular dependency on dnssec on valid time
  1. xinetd comes up S46
  2. ntpd comes up S46
  3. bind-prep is S46
  4. bind is S48
  1. We don't have valid time on boot. A new router may have sat in a box for months or years
  2. A router may also have been turned off for a long period of time.
  3. In either case, there is no battery backed up clock, and writing flash on a regular basis for any reason, is a bad idea.
  4. NTP needs DNS to start AND
  5. DNSSEC needs valid time to work
  6. DNSSEC comes up enabled by default in named, if turned on
  7. ntp -g does not issue dns queries with the unauthenticated bit on
  8. Thus we can't come up with valid time until ntp does
  9. bind needs to get valid roots
  1. ntp may or may not have a signal that says 'HI! I've got valid time now, go on!"
  2. There isn't a good way to know if dnsseq validation is enabled or disabled via named
  3. And we need three ntp servers to vote to slew the time
  4. Usually. And we need the network up, and connected to the internet before we can do anything
  5. We could just wait for a time slew event
  6. So my first hacky solution was to have lots of ntp servers in the conf file, turn off bind's dnssec validation on boot, monitor time via ntpd until it had contacted 3 valid servers and slewed the time, then reload bind's confs with dnssec turned on.
  7. But I fear this has introduced a depenency on getting the roots right in the first place.
  8. A mildly better for this would be to modify ntp -g to send queries with unauth on, and to have it announce to somewhere "I'm happy now, go on do what you need that needs time", but it's only partial due to the other dependencies.
  9. Somehow.

#3
Updated by Dave Täht almost 2 years ago

  • Project changed from Cerowrt to ISCWRT

#4
Updated by Dave Täht over 1 year ago

  • Target version changed from 1st Public Cerowrt release to 14

#5
Updated by Jim Gettys over 1 year ago

  • Project changed from ISCWRT to Cerowrt

#6
Updated by Dave Täht about 1 year ago

  • Target version changed from 14 to Cerowrt-Next

Also available in: Atom PDF