-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
NTP / dnscrypt chicken & egg problem #1081
Comments
Maybe you can simply include some IP addresses in the NTP server configuration? If this is really hopeless, |
For what it's worth, I run In step 2 you refer to "The dnscrypt-proxy json file" but I'm not sure what that is other than the full EdgeOS config.boot file? It may be possible to have the controller's adoption process push more than just config.boot, in which case you could have a script that makes sure NTP is working and then automates the installation of @jedisct1's suggestion to ignore timestamps in certificate checks is something I hadn't considered, but in this case it would have no effect since Unfortunately I don't have much more advice to share since I haven't properly tested my own solution to this chicken/egg problem. Suffice to say I was uncomfortable with the relaxed security and poor integration of the built-in service installation mechanism and instead make my own |
I'm using the USG from Ubiquiti. On factory reset and adoption the USG pulls a static configuration file from the Cloud Key. That configuration file forces /etc/resolv.conf to 127.0.0.1. Any NTP server config wont survive 'factory reset'. Factory reset flushes the entire HD and pulls the resolv.conf from the central configuration server. Dnscrypt-proxy has then to be installed manually again. That installation fails because resolv.conf is set to 127.0.0.1 and ntpd fails forever because dnsproxy is not working (bad timestamp). Surprisingly my time was only behind (slow) by 11h and it did not work. It should be mentioned EdgeOS instructions that timestamp must be set correctly manually before installation even if ntpd is running (because ntpd will fail without resolver - which only happens after factory reset). |
Looks like this is not going to help if the NTP configuration is reset, but for what it's worth, there are some pretty stable IP addresses that can be used as NTP servers. Notably |
Can confirm from previous experience with I got an RTC for the Pi after that episode, but I wound up moving |
About running on such device: Better is to install a simple NTP script to run 100% of the time, in background on the device, checking every X minutes. Because internet link may still be connecting when the device starts up, thus the ntpdate initial command will fail, but using a script to check every X minutes deals well with the problem, and as soon as the internet is available the device updates the time. Also, the domain name of the timeservers (if using domain name) have to bypass the localserver and use any common external DNS server, this can easily be done and you can have a bypass name group like time.nist.gov or time.windows.com that are resolvable via external DNS (eg: 1.1.1.1), (or you can use their IP address directly as mentioned above to adjust NTP). |
dnsmasq had the same problem and they found an 'elegant' solution (perhaps worth adopting). From the man page: --dnssec-no-timecheck If dnsmasq is run in debug mode (--no-daemon flag) then SIGINT retains its usual meaning of terminating the dnsmasq process. |
|
Platform: EdgeOS (ubnt, USG).
Following instructions on https://github.com/DNSCrypt/dnscrypt-proxy/wiki/Installation-on-EdgeOS.
System running in perfect condition. Then this happens:
Factory reset is triggers by admin (on purpose).
USG goes through adoption after factory reset. The dnscrypt-proxy json file from the cloud key is automatically installed to the USG. This sets the local resolver.conf to 127.0.0.1. This is an automated process.
Now following above instructions to install the dnscrypt-proxy again will fail because the ntpd could not resolve any hostname to set the correct time. Incorrect time means that dnscrypt-proxy will not resolve any hostname and thus ntpd will never be able to set the correct date - which dnscrypt-proxy needs to resolve the domain for the ntp servers.
quick workaround after adoption but before dnscrypt-proxy installation:
/etc/init.d/ntp stop
ntpdate -b 143.210.16.201
/etc/inid.d/ntp start
real workaround might be that local resolver is not set to 127.0.0.1 so that USG can update its own date/time via ntpdate.
The text was updated successfully, but these errors were encountered: