default local DNS caching name server

Paul Wouters paul at nohats.ca
Mon Apr 14 17:50:13 UTC 2014


On Mon, 14 Apr 2014, Juan Orti Alcaine wrote:

> One thing I would like to note is that in machines which don't have a 
> hardware clock, I had problems starting bind and unbound, because the date 
> was back to 1970 in each boot, so the root dns key was not yet valid and 
> there were no valid dns resolvers to update time by ntp. I had to hardcode 
> some ntp servers IP addresses to perform the ntp queries at boot time.
>
> This was using the OpenWrt distro in a mips router, I don't know if we can 
> face this kind of problem in ARM machines. I guess all x86 have hardware 
> clock, doesn't they?

That's a problem we are aware of. tlsdate is one method, but I believe
the openwrt people now also do some other things. Possibly saving the
time on shutdown so you have a reasonable time on startup.

For DNSSEC, we found that you need accurancy within a couple of hours
because some RRSIGs in the path to .org (for ntp.pool.org) were pretty
short. But I think adding a few ntp servers by IP address could be good
for the standard ntp config as well - provided there are IPs that can be
used for that in the pool.

Paul


More information about the devel mailing list