From e30f937f6a6f2e098fdadb274024a6d98a34299f Mon Sep 17 00:00:00 2001 From: Luca Boccassi Date: Wed, 21 Aug 2024 19:54:47 +0100 Subject: [PATCH] doc: explain how to disable DNSSEC validation with sd-resolved in FAQ DNSSEC requires the system time to be synced in order to work, as the signature date and expiration need to be checked by resolvers. But it is possible that syncing the times requires doing DNS queries. Add a paragraph to the FAQ explaining how to break this cycle by asking nss-resolved to always avoid DNSSEC when chronyd tries to resolve hostnames. --- doc/faq.adoc | 11 +++++++++++ 1 file changed, 11 insertions(+) diff --git a/doc/faq.adoc b/doc/faq.adoc index 8fff795..144bb8c 100644 --- a/doc/faq.adoc +++ b/doc/faq.adoc @@ -772,6 +772,17 @@ print all sources, even those that do not have a known address yet, with their names as they were specified in the configuration. This can be useful to verify that the names specified in the configuration are used as expected. +When DNSSEC is enabled, it will not work until the time is synchronized, as it +requires validating a signature timestamp and its expiration date, so if the +system time is too far in the future or the past DNSSEC validation will fail and +`chronyd` will be unable to resolve the address of the NTP server. In such cases, +if hostnames are the only options and bare IP addresses cannot be used, DNSSEC +can be disabled for `chronyd` using resolver-specific mechanisms, if available, +although of course that means losing the protection afforded by DNSSEC. +For example, when using systemd-resolved, the `SYSTEMD_NSS_RESOLVE_VALIDATE=0` +environment variable can be set, for example in the `chronyd` systemd unit via +`Environment=SYSTEMD_NSS_RESOLVE_VALIDATE=0`. + === Is `chronyd` allowed to step the system clock? By default, `chronyd` adjusts the clock gradually by slowing it down or