smoketest #6 of cerowrt is go for testing

Dave Taht dave.taht at
Sun Jul 17 08:34:33 EDT 2011

On Sat, Jul 16, 2011 at 10:35 PM, Dave Hart <
davehart_gmail_exchange_tee at> wrote:

> On Sun, Jul 17, 2011 at 00:02 UTC, Rick Jones <rick.jones2 at> wrote:
> > If you configure ntpd with bare IP addresses rather than names, will the
> > getaddrinfo() return without attempting any DNS in the first place?
> Yes, basically.  ntpd might not even call getaddrinfo() in that case
> (it may use inet_pton() or similar to convert the IP address to binary
> representation).  At any rate, using only numeric IPv4 or IPv6
> addresses will avoid any DNS lookups.

While there is one group that is finally providing ntp time via anycast -
which is a good solution to a large extent! - there is only the one (small)
group doing so, rather than the needed '3'.

And I'm reluctant, given the sordid history of hard coding ntp IP addresses,

to hard code *any* until far more anycast servers are online.

To take a step backwards on this, there are extensive notes on the circular
dependencies between time and dnssec logged here.

I'd implemented a hack to try to address these circular depenencies last
week in the named-latest package repo, while also coping with

I think I addressed the latter issue, but *good*. :) The 'fix' for the
ntp/dnssec/bind/network dependencies seems to have some problems, however,
notably really slow startup in general.

To step further back on this:

I had implemented ntp (with 7 contacted servers in the conf file!) in the
first place due to the "cosmic background bufferbloat detector" idea
extensively discussed on the comp.protocols.ntp newsgroup, and because I
wanted to be able to compare large sample data sets against known-to-be
accurate time, with a large deployment of client routers that had a
configuration I could trust to be accurate, talking to a yet-to-be-deployed
string of ntp servers (via hopefully a helpful operator) that could work on
this with us.

We had implemented dnssec in the first place because we wanted more people
to be using it, and ironing out problems (among other things, I planned to
use it to ensure valid updates to the routers), and because of nonsense
about DNS censorship happing all over the world, such as the recent
shenanagans in Australia.

once all these circular dependencies are resolved on boot, which doesn't
always happen and seems to take minutes, regardless, dnssec works pretty
darn good. Seeing it actually work at all after a decade of discussion makes
me really, really happy, but making it work *well*, somehow, would be best.

It's also my hope to implement this fix to bind, in the next rc release of

> Cheers,
> Dave Hart

Dave Täht
SKYPE: davetaht
US Tel: 1-239-829-5608
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the Bloat-devel mailing list