Allow NTP sync before enforcing DNSSEC time check

Raspberry Pis do not have real time clocks, so if they're off for enough time or otherwise lose time, every DNSSEC validation comes back as bogus.

This makes it impossible for the system to sync with an NTP server, since the required DNS responses get rejected as bogus; after this everything stops working.

Please add some sort of detection logic to detect whether time is correct, or simply don't enforce the time check until the system has had a chance to sync with an NTP server. dnsmasq can be told to skip the time check with the
--dnssec-no-timecheck option.

Thanks! I really enjoy this project and appreciate the effort that has been put in thus far!

I second this... I have a few smart lights that work with my Google Home and if my Raspberry Pi is shut down for more than say a half hour I have to manually set the time to get close enough then do a time sync with the ntp server... A real headache to be honest

A solution for this already exists, native dnsmasq (and thus pihole-FTL)
add a new configuration file to /etc/dnsmasq.d (don't add it to 01-pihole.conf, as this will remove the new setting after pihole -up or pihole -r, so create XX-dnssec.conf)


from the dnsmasq man page:

DNSSEC signatures are only valid for specified time windows, and should be rejected outside those windows. This generates an interesting chicken-and-egg problem for machines which don't have a hardware real time clock. For these machines to determine the correct time typically requires use of NTP and therefore DNS, but validating DNS requires that the correct time is already known. Setting this flag removes the time-window checks (but not other DNSSEC validation.) only until the dnsmasq process receives SIGINT. The intention is that dnsmasq should be started with this flag when the platform determines that reliable time is not currently available. As soon as reliable time is established, a SIGINT should be sent to dnsmasq, which enables time checking, and purges the cache of DNS records which have not been thoroughly checked. 
Earlier versions of dnsmasq overloaded SIGHUP (which re-reads much configuration) to also enable time validation. 
If dnsmasq is run in debug mode (-d flag) then SIGINT retains its usual meaning of terminating the dnsmasq process. 

The original topic, containing the script was written a long time ago. Read this updated topic for the latest version of the steps required to setup the solution.

1 Like

I dealt with this issue by hard coding IP addresses for the NTP servers raspbian uses in the hosts file. This probably isn’t a “best practice” but I haven’t had the Pi-hole lose track of time (and thus stop working) since I did this.

1 Like