Chiming in a bit late here, however, the availability of stratum 1 clocks and stratum 2 class time data on non IP and/or non interconnected networks is now so large, I question why one would run NTP outside of the building in many cases, certainly in an enterprise of any size.
On Tue, Sep 10, 2013 at 6:45 PM, Evan Hunt <each@xxxxxxx> wrote:
On Tue, Sep 10, 2013 at 05:59:52PM -0400, Olafur Gudmundsson wrote:That's roughly what we did with BIND on OpenWrt/CeroWrt as well. We
> My colleagues and I worked on OpenWrt routers to get Unbound to work
> there, what you need to do is to start DNS up in non-validating mode wait
> for NTP to fix time, then check if the link allows DNSSEC answers
> through, at which point you can enable DNSSEC validation.
also discussed hacking NTP to set the CD bit on its initial DNS queries,
but I don't think any of the code made it upstream.
My real recommendation would be to run an NTP pool in an anycast cloud of
well-known v4 and v6 addresses guaranteed to be reliable over a period of
years. NTP could then fall back to those addresses if unable to look up the
server it was configured to use. DNS relies on a well-known set of root
server addresses for bootstrapping; I don't see why NTP shouldn't do the
same.
(Actually... the root nameservers could *almost* provide a workable time
tick for bootstrapping purposes right now: the SOA record for the root
zone encodes today's date in the serial number. So you do the SOA lookup,
set your system clock, attempt validation; on failure, set the clock an
hour forward and try again; on success, use NTP to fine-tune. Klugey! :) )
--
Evan Hunt -- each@xxxxxxx
Internet Systems Consortium, Inc.
_______________________________________________
DNSOP mailing list
DNSOP@xxxxxxxx
https://www.ietf.org/mailman/listinfo/dnsop