Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

NTP doesn't work anymore in v2: DNSSEC validation failed #81

Closed
zehnm opened this issue Apr 17, 2021 · 1 comment · Fixed by #82
Closed

NTP doesn't work anymore in v2: DNSSEC validation failed #81

zehnm opened this issue Apr 17, 2021 · 1 comment · Fixed by #82
Assignees
@zehnm
Labels
bug Something isn't working remote-os
Milestone
Next Major Releas...

Comments

@zehnm
Copy link
Member

zehnm commented Apr 17, 2021
edited
Loading

Description

Time update with NTP doesn't work anymore in the new v2 image with Buildroot 2021.02. The log is full of errors:

Feb 02 16:38:48 yioremote systemd-resolved[142]: [🡕] DNSSEC validation failed for question . IN DNSKEY: signature-expired
Feb 02 16:38:48 yioremote systemd-resolved[142]: [🡕] DNSSEC validation failed for question com IN DS: signature-expired
Feb 02 16:38:48 yioremote systemd-resolved[142]: [🡕] DNSSEC validation failed for question com IN DNSKEY: signature-expired
Feb 02 16:38:48 yioremote systemd-resolved[142]: [🡕] DNSSEC validation failed for question google.com IN DS: signature-expired
Feb 02 16:38:48 yioremote systemd-resolved[142]: [🡕] DNSSEC validation failed for question google.com IN SOA: signature-expired
Feb 02 16:38:48 yioremote systemd-resolved[142]: [🡕] DNSSEC validation failed for question time4.google.com IN DS: signature-expired
Feb 02 16:38:48 yioremote systemd-resolved[142]: [🡕] DNSSEC validation failed for question time4.google.com IN SOA: signature-expired
Feb 02 16:38:48 yioremote systemd-resolved[142]: [🡕] DNSSEC validation failed for question time4.google.com IN AAAA: signature-expired
Feb 02 16:38:48 yioremote systemd-resolved[142]: [🡕] DNSSEC validation failed for question time4.google.com IN A: signature-expired

How to Reproduce

Steps to reproduce the behavior:

  1. Use v2.0.0-rc1 image
  2. Run initial configuration
  3. See time in UI: doesn't get updates
  4. See errors with journalctl -f

Expected behavior

Time is updated with ntp

Your Environment

  • Version used: v2.0.0-rc1
  • Running on:
    • YIO Remote

Additional context

Similar issue: https://bbs.archlinux.org/viewtopic.php?id=240427

systemd now uses DNSSEC by default with downgrade if the servers don't support it. Default time servers are from Google. They support DNSSEC. Initial boot has a date of Feb 2 which makes DNS requests invalid, because of the timeframe. So the ntp servers cannot be resolved and the time never gets synchronized...

Possible solutions:

  • Manually set initial time.
    Bad user experience if the remote is switched off for a while and the time has to be manually set again.
  • Use standalone ntp client and disable systemd ntp.
    This might still not work if the server name cannot be resolved.
  • Disable DNSSEC in systemd.
@zehnm zehnm added bug Something isn't working remote-os labels Apr 17, 2021
@zehnm zehnm added this to the Next Major Release v2 milestone Apr 17, 2021
@zehnm zehnm self-assigned this Apr 17, 2021
zehnm added a commit that referenced this issue Apr 17, 2021
@zehnm
fix: Disable systemd DNSSEC
5c9ec74 
With DNSSEC enabled, server names cannot be resolved at initial boot with an out-of-sync local time.
This fixes #81
@zehnm
Copy link
Member Author

zehnm commented Apr 17, 2021

Fixed in v2.0.0-rc2

@zehnm zehnm closed this as completed Apr 17, 2021
@zehnm zehnm mentioned this issue Apr 17, 2021
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zehnm zehnm

Labels
bug Something isn't working remote-os
Projects
None yet
Milestone
Next Major Release v2
Development

Successfully merging a pull request may close this issue.

Release v2.0.0-rc2 YIO-Remote/remote-os
1 participant
@zehnm