default local DNS caching name server
paul at nohats.ca
Mon Apr 14 17:50:13 UTC 2014
On Mon, 14 Apr 2014, Juan Orti Alcaine wrote:
> One thing I would like to note is that in machines which don't have a
> hardware clock, I had problems starting bind and unbound, because the date
> was back to 1970 in each boot, so the root dns key was not yet valid and
> there were no valid dns resolvers to update time by ntp. I had to hardcode
> some ntp servers IP addresses to perform the ntp queries at boot time.
> This was using the OpenWrt distro in a mips router, I don't know if we can
> face this kind of problem in ARM machines. I guess all x86 have hardware
> clock, doesn't they?
That's a problem we are aware of. tlsdate is one method, but I believe
the openwrt people now also do some other things. Possibly saving the
time on shutdown so you have a reasonable time on startup.
For DNSSEC, we found that you need accurancy within a couple of hours
because some RRSIGs in the path to .org (for ntp.pool.org) were pretty
short. But I think adding a few ntp servers by IP address could be good
for the standard ntp config as well - provided there are IPs that can be
used for that in the pool.
More information about the devel