* [Buildroot] [PATCH 1/1] package/{chrony, ntp, openntpd}: turn off DNSSEC validation
@ 2021-07-08 11:16 James Hilliard
2021-07-16 20:58 ` Thomas Petazzoni
2021-08-03 9:19 ` Peter Korsgaard
0 siblings, 2 replies; 3+ messages in thread
From: James Hilliard @ 2021-07-08 11:16 UTC (permalink / raw)
To: buildroot
We have a chicken and egg problem: validation of DNSSEC signatures
doesn't work without a correct clock, but to set the correct clock we
need to contact NTP servers which requires resolving a hostname, which
would normally require DNSSEC validation.
Let's break the cycle by excluding NTP hostname resolution from
validation for now.
Details:
https://github.com/systemd/systemd/commit/abf4e5c1d3ad767bc0ed67883e8e4d916af095ec
Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
---
package/chrony/chrony.service | 4 ++++
package/ntp/ntpd.service | 4 ++++
package/openntpd/ntpd.service | 4 ++++
3 files changed, 12 insertions(+)
diff --git a/package/chrony/chrony.service b/package/chrony/chrony.service
index 325b63c492..210122cf5d 100644
--- a/package/chrony/chrony.service
+++ b/package/chrony/chrony.service
@@ -4,6 +4,10 @@ After=syslog.target network.target
Conflicts=systemd-timesyncd.service
[Service]
+# Turn off DNSSEC validation for hostname look-ups, since those need the
+# correct time to work, but we likely won't acquire that without NTP. Let's
+# break this chicken-and-egg cycle here.
+Environment=SYSTEMD_NSS_RESOLVE_VALIDATE=0
ExecStart=/usr/sbin/chronyd -n
Restart=always
diff --git a/package/ntp/ntpd.service b/package/ntp/ntpd.service
index 7964c5389b..9a0f4c6dbf 100644
--- a/package/ntp/ntpd.service
+++ b/package/ntp/ntpd.service
@@ -5,6 +5,10 @@ After=network.target
[Service]
Type=forking
PIDFile=/run/ntpd.pid
+# Turn off DNSSEC validation for hostname look-ups, since those need the
+# correct time to work, but we likely won't acquire that without NTP. Let's
+# break this chicken-and-egg cycle here.
+Environment=SYSTEMD_NSS_RESOLVE_VALIDATE=0
ExecStart=/usr/sbin/ntpd -g -p /run/ntpd.pid
[Install]
diff --git a/package/openntpd/ntpd.service b/package/openntpd/ntpd.service
index a4ffa7318c..c2924b0c5c 100644
--- a/package/openntpd/ntpd.service
+++ b/package/openntpd/ntpd.service
@@ -5,6 +5,10 @@ Conflicts=systemd-timesyncd.service
[Service]
Type=simple
+# Turn off DNSSEC validation for hostname look-ups, since those need the
+# correct time to work, but we likely won't acquire that without NTP. Let's
+# break this chicken-and-egg cycle here.
+Environment=SYSTEMD_NSS_RESOLVE_VALIDATE=0
ExecStart=/usr/sbin/ntpd -s -d
[Install]
--
2.25.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* [Buildroot] [PATCH 1/1] package/{chrony, ntp, openntpd}: turn off DNSSEC validation
2021-07-08 11:16 [Buildroot] [PATCH 1/1] package/{chrony, ntp, openntpd}: turn off DNSSEC validation James Hilliard
@ 2021-07-16 20:58 ` Thomas Petazzoni
2021-08-03 9:19 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Thomas Petazzoni @ 2021-07-16 20:58 UTC (permalink / raw)
To: buildroot
On Thu, 8 Jul 2021 05:16:27 -0600
James Hilliard <james.hilliard1@gmail.com> wrote:
> We have a chicken and egg problem: validation of DNSSEC signatures
> doesn't work without a correct clock, but to set the correct clock we
> need to contact NTP servers which requires resolving a hostname, which
> would normally require DNSSEC validation.
>
> Let's break the cycle by excluding NTP hostname resolution from
> validation for now.
>
> Details:
> https://github.com/systemd/systemd/commit/abf4e5c1d3ad767bc0ed67883e8e4d916af095ec
>
> Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
> ---
> package/chrony/chrony.service | 4 ++++
> package/ntp/ntpd.service | 4 ++++
> package/openntpd/ntpd.service | 4 ++++
> 3 files changed, 12 insertions(+)
I'm not an expert in this area, but the explanation seems sensible, and
nobody complained so far, so I've applied to master. Thanks!
Thomas
--
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [Buildroot] [PATCH 1/1] package/{chrony, ntp, openntpd}: turn off DNSSEC validation
2021-07-08 11:16 [Buildroot] [PATCH 1/1] package/{chrony, ntp, openntpd}: turn off DNSSEC validation James Hilliard
2021-07-16 20:58 ` Thomas Petazzoni
@ 2021-08-03 9:19 ` Peter Korsgaard
1 sibling, 0 replies; 3+ messages in thread
From: Peter Korsgaard @ 2021-08-03 9:19 UTC (permalink / raw)
To: James Hilliard; +Cc: buildroot
>>>>> "James" == James Hilliard <james.hilliard1@gmail.com> writes:
> We have a chicken and egg problem: validation of DNSSEC signatures
> doesn't work without a correct clock, but to set the correct clock we
> need to contact NTP servers which requires resolving a hostname, which
> would normally require DNSSEC validation.
> Let's break the cycle by excluding NTP hostname resolution from
> validation for now.
> Details:
> https://github.com/systemd/systemd/commit/abf4e5c1d3ad767bc0ed67883e8e4d916af095ec
> Signed-off-by: James Hilliard <james.hilliard1@gmail.com>
Committed to 2021.02.x and 2021.05.x, thanks.
--
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@busybox.net
http://lists.busybox.net/mailman/listinfo/buildroot
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2021-08-03 9:19 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-07-08 11:16 [Buildroot] [PATCH 1/1] package/{chrony, ntp, openntpd}: turn off DNSSEC validation James Hilliard
2021-07-16 20:58 ` Thomas Petazzoni
2021-08-03 9:19 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.