Discussion:
/etc/rc.d/ntpdate needs named
Simon J. Gerraty
2013-11-09 19:19:42 UTC
Permalink
After a planned power outage, had to reboot all my computers yesterday
and noticed that /etc/rc.d/ntpdate couldn't do its thing, since it
couldn't resolve any of the names in ntp.conf

Now since the names in ntp.conf like us.pool.ntp.org
resolve to many addresses which round-robin (good), it is desirable
to leave them as names in ntp.conf.

So I figured I'd make rc.d/ntpdate require 'named'.
but that doesn't work - rcorder reports a cicular dependency, which I
was not able to spot.

After a bit of hack & slash I did get rcorder to list named before
ntpdate but by then something else (kdc) was complaining.

In the end I reverted everything and set a bunch of IP's in
etc/rc.conf:ntpdate_hosts
though whether any of them will be valid when I next reboot who knows.
Harry Waddell
2013-11-09 23:07:47 UTC
Permalink
On Sat, 09 Nov 2013 11:19:42 -0800
Post by Simon J. Gerraty
After a planned power outage, had to reboot all my computers yesterday
and noticed that /etc/rc.d/ntpdate couldn't do its thing, since it
couldn't resolve any of the names in ntp.conf
Now since the names in ntp.conf like us.pool.ntp.org
resolve to many addresses which round-robin (good), it is desirable
to leave them as names in ntp.conf.
So I figured I'd make rc.d/ntpdate require 'named'.
but that doesn't work - rcorder reports a cicular dependency, which I
was not able to spot.
After a bit of hack & slash I did get rcorder to list named before
ntpdate but by then something else (kdc) was complaining.
In the end I reverted everything and set a bunch of IP's in
etc/rc.conf:ntpdate_hosts
though whether any of them will be valid when I next reboot who knows.
As with many services, /etc/rc.d/ntpdate needs named if it's
configuration uses servers that need to be resolved, but strictly speaking,
named is NOT required.

To try and make the startup script smart enough to just "do the right thing" it would
need to determine

1. is there a server in ntpd.conf that needs to be resolved
2. which named to use. i.e. the one in pkgsrc or the base set.
3. is resolv.conf configured to use a local nameserver

so it's not that it can't be done, just that it's hard to do right.

An easy workaround for cases like yours would be to
add /etc/rc.d/named[9] start to /etc/netstart.local.
I don't like hacking /etc/rc.d/files themselves because it's easy for
local mods to get lost as things get upgraded, etc...

However, I the above really doesn't matter though most of the time because of the following.

It's fairly common that most users will either start their local nameserver hosts,
and other essential services, before starting regular systems OR use the dns
server of their hosting or service provider. ( perhaps only at the end of the
nameserver list in resolv.conf to provide failover )

I would definately not use an IP address of some ntp.org pool servers.
Instead, I'd use my local time server, which I started first, OR one
that belonged my hosting provider or ISP.

Best of luck,

Harry Waddell
Simon J. Gerraty
2013-11-10 01:29:20 UTC
Permalink
Post by Harry Waddell
As with many services, /etc/rc.d/ntpdate needs named if it's
configuration uses servers that need to be resolved,
Which is the case in the standard setup - which is good as previously
noted.
Post by Harry Waddell
but strictly speaking, named is NOT required.
It is only not required if
1/ ntp.conf contains IP's
2/ rc.conf contains IP's in ntpdate_hosts
3/ etc/hosts can resolve the names
Post by Harry Waddell
I don't like hacking /etc/rc.d/files themselves because it's easy for
local mods to get lost as things get upgraded, etc...
I have no problem changing them if it can be done so correctly.
As noted there is a circular dependency which is not immediately
obvious.
Post by Harry Waddell
It's fairly common that most users will either start their local nameserver ho
sts,
This *is* my name server host ;-)
Post by Harry Waddell
and other essential services, before starting regular systems OR use the dns
server of their hosting or service provider. ( perhaps only at the end of the
nameserver list in resolv.conf to provide failover )
Yes that is a potential workaround, but being able to get named started
earlier would be better.
Post by Harry Waddell
I would definately not use an IP address of some ntp.org pool servers.
Instead, I'd use my local time server, which I started first, OR one
that belonged my hosting provider or ISP.
Again, tricky if you have one machine that is *the* main server.
Roland C. Dowdeswell
2013-11-10 07:23:52 UTC
Permalink
Post by Simon J. Gerraty
Post by Harry Waddell
As with many services, /etc/rc.d/ntpdate needs named if it's
configuration uses servers that need to be resolved,
Which is the case in the standard setup - which is good as previously
noted.
Post by Harry Waddell
but strictly speaking, named is NOT required.
It is only not required if
1/ ntp.conf contains IP's
2/ rc.conf contains IP's in ntpdate_hosts
3/ etc/hosts can resolve the names
I think that you should consider 3/ to be:

3/ the NSS framework can resolve names without named running.

And when stated like this, the easiest answer becomes clear which
is to put another nameserver into /etc/resolv.conf after localhost
which will allow things to work easily on boot.

--
Roland Dowdeswell http://Imrryr.ORG/~elric/
Simon J. Gerraty
2013-11-10 07:59:20 UTC
Permalink
Post by Roland C. Dowdeswell
And when stated like this, the easiest answer becomes clear which
is to put another nameserver into /etc/resolv.conf after localhost
which will allow things to work easily on boot.
Yes I think that was one of Harry's suggestions too.
Quite reasonable.

Thanks
--sjg

Robert Elz
2013-11-10 03:32:28 UTC
Permalink
This discussion has been held before I believe, with no consensus to
change things.

I believe the rationale is that if you're really running a nameserver,
you need ntpd running first, otherwise there can be dnssec problems, and
that's not good. That means, on nameserver hosts, ntp.conf (or equivalent
way of achieving the same effect) should be configured with IP addresses.

Most NetBSD hosts don't run nameservers, so the default config is to put
names (pool names) in ntp.conf because that's best both for them, and for
the global ntp community.

Config files as distributed cannot suit everyone - they're intended to
be edited to meet local requirements - that's why they are config files,
and not just parts of the distributed binaries. The distributed configs
are best when they are best (safely) suited for the needs of the majority,
and even more so when the minority (those who also run nameservers in this
case) can be assumed to be above average in knowledge/ability.

None of this is unfamiliar to me - I also run a nameserver and ntp on the
same host - my plan for the new updated version I will be installing as soon
as my new hardware arrives, is to have a script that runs regularly and puts
the ntp pool addresses into /etc/hosts - that way they'll be available before
named starts after a reboot, but will still be current with the addresses
returned by the pool DNS lookups (even rotating the values over time). If
I'm feeling particularly ambitious, I'll even have the script adapt to the
DNS TTL values (otherwise I'll just run it every 10 mins or so ...)

kre
Simon J. Gerraty
2013-11-10 07:58:03 UTC
Permalink
Post by Robert Elz
I believe the rationale is that if you're really running a nameserver,
you need ntpd running first, otherwise there can be dnssec problems, and
Good point.
Post by Robert Elz
same host - my plan for the new updated version I will be installing as soon
as my new hardware arrives, is to have a script that runs regularly and puts
the ntp pool addresses into /etc/hosts - that way they'll be available before
Yes, I was thinking of something like that.

Thanks
--sjg
Loading...