Allow NTP sync before enforcing DNSSEC time check


#1

Raspberry Pis do not have real time clocks, so if they’re off for enough time or otherwise lose time, every DNSSEC validation comes back as bogus.

This makes it impossible for the system to sync with an NTP server, since the required DNS responses get rejected as bogus; after this everything stops working.

Please add some sort of detection logic to detect whether time is correct, or simply don’t enforce the time check until the system has had a chance to sync with an NTP server. dnsmasq can be told to skip the time check with the
–dnssec-no-timecheck option.

Thanks! I really enjoy this project and appreciate the effort that has been put in thus far!


Raspberry pi, NTP, DNSSEC, dnsmasqv2.79, pihole-FTL: signal changed!
#2

I second this… I have a few smart lights that work with my Google Home and if my Raspberry Pi is shut down for more than say a half hour I have to manually set the time to get close enough then do a time sync with the ntp server… A real headache to be honest


#3

A solution for this already exists, native dnsmasq (and thus pihole-FTL)
add a new configuration file to /etc/dnsmasq.d (don’t add it to 01-pihole.conf, as this will remove the new setting after pihole -up or pihole -r, so create XX-dnssec.conf)
content:

dnssec-no-timecheck

from the dnsmasq man page:

--dnssec-no-timecheck 
DNSSEC signatures are only valid for specified time windows, and should be rejected outside those windows. This generates an interesting chicken-and-egg problem for machines which don't have a hardware real time clock. For these machines to determine the correct time typically requires use of NTP and therefore DNS, but validating DNS requires that the correct time is already known. Setting this flag removes the time-window checks (but not other DNSSEC validation.) only until the dnsmasq process receives SIGINT. The intention is that dnsmasq should be started with this flag when the platform determines that reliable time is not currently available. As soon as reliable time is established, a SIGINT should be sent to dnsmasq, which enables time checking, and purges the cache of DNS records which have not been thoroughly checked. 
Earlier versions of dnsmasq overloaded SIGHUP (which re-reads much configuration) to also enable time validation. 
If dnsmasq is run in debug mode (-d flag) then SIGINT retains its usual meaning of terminating the dnsmasq process. 

edit
The original topic, containing the script was written a long time ago. Read this updated topic for the latest version of the steps required to setup the solution.
/edit