Per previous thread, the best approach to resolving the boot-time "catch 22" for getting DNS to get time to get DNS working was to use a query with checking disabled, and this could be done well enough in shell in the existing ntpdate system startup script.
The modified OpenWRT script is below. OpenWRT folks: you have my
permission to redistribute this under your sole copyright, removing my
name.
It's a lot longer, it relies upon the "dig" command which was *NOT*
installed by default ("opkg install bind-dig"), but I broke the shell
down into functions as simple as possible rather than being as concise
as possible. Tested on the Backfire release. Aside from the default
sub-pool chosen and the hard-coded path to ntpdate, it should be
portable to any POSIX shell OS.
I strongly suspect that there's value in writing something like this in
C, or including the code for fallback into ntpdate itself, but this
should let folks try the rough algorithm.
(But I don't have time for that now; I slacked off and only got around
to it today because my router rebooted again and this bit me again.)
-Phil
----------------------------8< cut here >8------------------------------
#!/bin/sh /etc/rc.common
# Copyright (C) 2006-2008 OpenWrt.org
# Copyright (C) 2013 Phil Pennock
START=60
STEP_SERVERS="0.openwrt.pool.ntp.org 1.openwrt.pool.ntp.org
2.openwrt.pool.ntp.org"
TIMEOUT="2" # in seconds
# The core problem is that with DNSSEC, an invalid time prevents resolution
# of DNS, but we need DNS to be able to find time-servers to get a good time
# to be able to resolve DNS.
#
# We break out of this "Catch 22" situation by _trying_ normal DNS resolution,
# IPv4 and then IPv6, and only if those fail do we forcibly disable DNSSEC
# by using dig(1)'s +cd flag ("checking disabled"); trying normally first
# protects us against malicious DNS trying to point us to bad time-servers,
# if we've enough state that we _should_ already be protected.
#
# The "insecure" approach we regress to, as a last resort, is the same way
# the Internet functioned for decades. There is a DoS+hijack attack path
# here, but if we don't have a good battery-backed clock to protect us, we
# don't have a better solution.
resolve_hostname_v4() {
# we use the grep both to filter out cname referrals and to detect empty
# results
local hn="$1"
shift
dig +nodnssec +short "$@" -t a "$hn" | grep '^[0-9][0-9.]*$'
}
resolve_hostname_v6() {
local hn="$1"
shift
dig +nodnssec +short "$@" -t aaaa "$hn" | grep -i
'^[0-9a-f][0-9a-f.:]*$'
}
resolve_one_server() {
local hn="$1"
resolve_hostname_v4 $hn && return
resolve_hostname_v6 $hn && return
resolve_hostname_v4 $hn +cd && return
resolve_hostname_v6 $hn +cd && return
}
resolve_step_servers() {
local server ips
for server in $STEP_SERVERS ; do
resolve_one_server $server
done
}
start() {
for s in $(resolve_step_servers) ; do
/usr/sbin/ntpdate -s -b -u -t "$TIMEOUT" "$s" && break
done
----------------------------8< cut here >8------------------------------
}
pgpayL3uATX6d.pgp
Description: PGP signature
_______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
