On Sun, 11 Oct 2020 09:40:36 -0400 Greg Troxel <g...@lexort.com> wrote:
> So, this is a request to explain how a 'default install' has this > problem, or to clarify the problem statement. Well NetBSD-9 comes with "unbound" which is supposed to replace "bind" as a recursive/caching name server. If you care about security, then you will always use DNSSEC and DoT, which (in my opinion) should be configured by default. Think of it as http vs https and how most people are now using https by default. Whether NetBSD default install configures those features, is a completely different matter. There is a known issue (which is not exclusive to NetBSD, nor to unbound) that revolves around a circular dependency with ntpdate/ntpd and DNSSEC. There are several ways to work around this issue. The fact that NetBSD does not enable DNSSEC by default, should not preclude it from implementing or documenting a work around. The default install is relying on "XXX.netbsd.pool.ntp.org" hostnames in /etc/ntp.conf for both ntpdate and ntpd. This fails to work correctly when two conditions occur at the same time: a) DNSSEC is used and b) System time is incorrect as hostnames cannot be resolved, due to DNSSEC signature validation failures, I think. This failure is not very obvious and only noticeable when system time is wrong by some specific value, which depends on the configuration of the name server (could be minutes or hours or days). Ideally ntpdate/ntpd should have a backup list of servers that are not hostnames, but IP addresses and don't require functioning DNS. If this can be automated via rc scripts, then it's one less thing to remember for NetBSD users. Could be as simple as adding a few stable IP addresses to /etc/ntp.conf and then marking hostnames as "prefer".
