]> git.ipfire.org Git - thirdparty/systemd.git/commit
projects / thirdparty / systemd.git / commit
? search:
summary | shortlog | log | commit | commitdiff | tree
(parent: aee9d18) | patch
units: turn off DNSSEC validation when timesyncd resolves hostnames 18563/head
authorLennart Poettering <lennart@poettering.net>
Thu, 5 Nov 2020 10:20:32 +0000 (11:20 +0100)
committerLennart Poettering <lennart@poettering.net>
Sun, 14 Feb 2021 21:05:18 +0000 (22:05 +0100)
commitabf4e5c1d3ad767bc0ed67883e8e4d916af095ec
tree4aa656e43a2e16114c60112d5aa2eef111a18e1ftree | snapshot
parentaee9d18c8d909eb7aca2838e4bce5da018b6a112commit | diff
units: turn off DNSSEC validation when timesyncd resolves hostnames

We have a chicken and egg problem: validation of DNSSEC signatures
doesn't work without a correct clock, but to set the correct clock we
need to contact NTP servers which requires resolving a hostname, which
would normally require DNSSEC validation.

Let's break the cycle by excluding NTP hostname resolution from
validation for now.

Of course, this leaves NTP traffic unprotected. To cover that we need
NTPSEC support, which we can add later.

Fixes: #5873 #15607
units/systemd-timesyncd.service.in diff | blob | blame | history
Unnamed repository; edit this file 'description' to name the repository.