[systemd-devel] timesyncd, dnssec

Jason A. Donenfeld Jason at zx2c4.com
Wed May 21 03:48:02 PDT 2014


Hey Lennart & Folks,

I've been watching the commits come in for timesyncd. I saw recently you're
restoring the time from file timestamps, just so something is decently
recent. Neat.

I thought I'd share a problem I had with another init system with regards
to NTP and DNSSEC, so that it's somewhere in the back of your mind when
designing the dependency system for timesyncd.

Machine with no battery powered clock. NTPd (timesyncd in this case) needs
DNS to resolve NTP servers. Local DNS resolver, in this case unbound,
requires correct time to do proper DNSSEC validation. So, NTP needs DNS,
but DNS needs NTP. Temporary work around is to hard code IPs into NTP.

To add to the problem: Internet requires PPPoE. Aspects of PPPoE
negotiation require having a correct time. So in sum:

Internet needs PPPoE.
PPPoE needs NTP.
NTP needs Internet.
NTP needs DNS.
DNS needs NTP.
DNS needs Internet.

The easiest solution has been to just not use DNS for NTP, and instead
hardcode IPs. But maybe these types of weird constraints have better
solutions. I'm no longer seeking an answer, as I don't administer this
setup anymore, but I thought this kind of (possibly common) weirdness might
be something to keep in mind.

Thanks,
Jason
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140521/707d5b9a/attachment.html>


More information about the systemd-devel mailing list