From: Phil Pennock <cerowrt-devel+phil@spodhuis.org>
To: David Personette <dperson@gmail.com>
Cc: "cerowrt-devel@lists.bufferbloat.net"
<cerowrt-devel@lists.bufferbloat.net>
Subject: Re: [Cerowrt-devel] DNSSEC & NTP Bootstrapping
Date: Mon, 24 Mar 2014 17:30:17 -0400 [thread overview]
Message-ID: <20140324213017.GA79741@redoubt.spodhuis.org> (raw)
In-Reply-To: <CAMybZqzp1jXEf1=Y4z5ymHoF0=QjdVaX9bujjMX+iUuh3wLPuQ@mail.gmail.com>
On 2014-03-24 at 16:27 -0400, David Personette wrote:
> With the exception of the extra dependencies (dig and python), I like this.
Thanks -- that's about my stance too. It helps prove the algorithm and
approach, but needs to be rewritten as a small tool.
> The only other issue I see is if the router is brought online before
> internet access is available. If I read your code correctly, it will try 4
> times per defined server (with and without DNSSEC for IPv4 and IPv6), then
> exit. It either needs to keep trying until it succeeds, or be called every
> time a connection comes up (shutting down NTPd prior and restarting after).
True -- a small tool which can be put into the interfaces up script
would work well. I'm on a rather stable FiOS connection, so it's not
been an issue for me, which is why I'm still on the bloated version I
have -- it works.
Here's about what I have in mind; the ntpsrv stratum check and the
restart ntpd ourselves bits are beyond what's in the proof-of-concept
script, which is what I've been using on my home router since last July
or so (OpenWRT backfire and then later attitude adjustment).
Usage: update-time-securely [-n ntpsrv] [-r reffile] [-t dnstimeout] hostnames...
Assume ntpsrv is 127.0.0.1, send a control packet equivalent to sysinfo,
check stratum. If stratum is present and less than some cut-off (10?
Most free-wheeling modes use 12 or greater, right?) then we're done. If
no response or stratum too high, ntpd is eligible for nuking.
Use the reference file as the trust anchor from dnsmasq/unbound; handle
the file given being a symlink and ensure the ctime of the file pointed
to (to handle it being a link which package management can point at
dnsmasq or unbound's config). If clocktime is less then the timestamp
on that file (less a concurrency jitter) then time is Wrong. Nuke ntpd
now, force time to step up-to that value, syslog it (before and after).
Try to resolve the hostnames, all together, A and AAAA concurrently. If
we get any results, use those. If we get no results, try again but with
the CD flag set in the DNS queries.
If we got results from the DNS resolution, nuke ntpd if it wasn't
already nuked. Invoke ntpdate to set the time, accept the default
values and cut-offs for adjtime vs settimeofday.
If we nuked ntpd, start it again ourselves. We can use a capture of
/proc/$oldpid/cmdline to get the command-line to invoke, or it can be a
flag option, or an option to use a magic exit code to indicate to the
caller that ntpd should now be started.
next prev parent reply other threads:[~2014-03-24 21:30 UTC|newest]
Thread overview: 51+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-03-22 3:33 Joseph Swick
2014-03-22 17:42 ` Dave Taht
2014-03-22 18:43 ` Simon Kelley
2014-03-22 19:38 ` Toke Høiland-Jørgensen
2014-03-22 19:42 ` Simon Kelley
2014-03-22 20:00 ` Toke Høiland-Jørgensen
2014-03-24 21:39 ` Simon Kelley
2014-03-27 20:38 ` Simon Kelley
2014-03-28 7:57 ` Toke Høiland-Jørgensen
2014-03-28 9:08 ` Simon Kelley
2014-03-28 9:18 ` Toke Høiland-Jørgensen
2014-03-28 10:41 ` Simon Kelley
2014-03-28 10:48 ` Toke Høiland-Jørgensen
2014-03-28 19:46 ` Simon Kelley
2014-03-28 20:55 ` Simon Kelley
2014-03-29 9:20 ` Toke Høiland-Jørgensen
2014-03-29 10:55 ` [Cerowrt-devel] DNSSEC & NTP Bootstrapping -- prototype! Toke Høiland-Jørgensen
2014-03-29 21:21 ` Michael Richardson
2014-03-29 21:30 ` Dave Taht
2014-03-30 13:21 ` Toke Høiland-Jørgensen
2014-03-30 16:59 ` Dave Taht
2014-03-30 18:38 ` Toke Høiland-Jørgensen
2014-03-30 19:30 ` Toke Høiland-Jørgensen
2014-03-30 20:06 ` Dave Taht
2014-03-30 20:51 ` Toke Høiland-Jørgensen
2014-03-31 12:42 ` Robert Bradley
2014-03-31 17:26 ` Robert Bradley
2014-03-22 21:15 ` [Cerowrt-devel] DNSSEC & NTP Bootstrapping Joseph Swick
2014-03-23 10:12 ` Aaron Wood
2014-03-23 11:15 ` Toke Høiland-Jørgensen
2014-03-23 12:11 ` David Personette
2014-03-23 12:20 ` Toke Høiland-Jørgensen
2014-03-23 12:22 ` Aaron Wood
2014-03-23 22:41 ` Michael Richardson
2014-03-24 9:51 ` Aaron Wood
2014-03-24 9:59 ` Toke Høiland-Jørgensen
2014-03-24 12:29 ` Chuck Anderson
2014-03-24 13:39 ` Toke Høiland-Jørgensen
2014-03-24 14:31 ` Alijah Ballard
2014-03-24 13:54 ` Valdis.Kletnieks
2014-03-24 19:12 ` Phil Pennock
2014-03-24 20:27 ` David Personette
2014-03-24 21:30 ` Phil Pennock [this message]
2014-03-24 21:58 ` Dave Taht
2014-03-25 9:55 ` David Personette
2014-03-25 14:25 ` Michael Richardson
2014-03-24 21:03 ` Toke Høiland-Jørgensen
2014-03-24 22:09 ` Török Edwin
2014-03-24 23:33 ` Toke Høiland-Jørgensen
2014-03-25 1:16 ` Joseph Swick
2014-03-24 22:16 ` Phil Pennock
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
List information: https://lists.bufferbloat.net/postorius/lists/cerowrt-devel.lists.bufferbloat.net/
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20140324213017.GA79741@redoubt.spodhuis.org \
--to=cerowrt-devel+phil@spodhuis.org \
--cc=cerowrt-devel@lists.bufferbloat.net \
--cc=dperson@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox