20160203 Chicken & Egg issues

A couple of people have reported a new-ish chicken&egg issue in system startup.

It basically goes like this:

  • System is booted

  • Clock is wrong

  • NTPD/Ntimed is run

  • NTPD/Ntimed tries to resolve a DNS name

  • The DNS resolver hits DNSSEC

  • DNSSEC validation gets wrong system time

  • DNSSEC validation fails

  • DNS resolver fails

  • NTPD/Ntimed doesn’t sync time

There are no true solutions to this, it is a genuine chicken&egg issue.

Not that many people have hit it yet, because DNSSEC is not that widely deployed and a lot of people have, wisely, configured their NTP servers using numeric IP numbers.

But that is not always an option, for instance there is no way to run NTP-server pools, like *.pool.ntp.org, using numeric IP numbers.

The way Ntimed will tackle this, once I get the code written, is by keeping a dedicated DNS cache in a file, for use on the next startup.

The startup will go something like this:

  • Configure any servers which are specified with numeric IP#s

  • Configure any servers we can with the cache file

  • Periodically Attempt to DNS resolve any non-numeric servernames

  • Save resolved IP#s in cache file

This is not perfect, but it will solve the problem in the majority of cases, and it also takes the DNS entirely out of the normal startup, which, all else being equal, should shave some fraction of a second of system boot times.