diff options
| author | Lennart Poettering <lennart@poettering.net> | 2020-11-05 11:20:32 +0100 |
|---|---|---|
| committer | Lennart Poettering <lennart@poettering.net> | 2021-02-14 22:05:18 +0100 |
| commit | abf4e5c1d3ad767bc0ed67883e8e4d916af095ec (patch) | |
| tree | 4aa656e43a2e16114c60112d5aa2eef111a18e1f | |
| parent | nss-resolve: allow turning off validation via env var (diff) | |
| download | systemd-abf4e5c1d3ad767bc0ed67883e8e4d916af095ec.tar.xz systemd-abf4e5c1d3ad767bc0ed67883e8e4d916af095ec.zip | |
units: turn off DNSSEC validation when timesyncd resolves hostnames
We have a chicken and egg problem: validation of DNSSEC signatures
doesn't work without a correct clock, but to set the correct clock we
need to contact NTP servers which requires resolving a hostname, which
would normally require DNSSEC validation.
Let's break the cycle by excluding NTP hostname resolution from
validation for now.
Of course, this leaves NTP traffic unprotected. To cover that we need
NTPSEC support, which we can add later.
Fixes: #5873 #15607
| -rw-r--r-- | units/systemd-timesyncd.service.in | 4 |
1 files changed, 4 insertions, 0 deletions
diff --git a/units/systemd-timesyncd.service.in b/units/systemd-timesyncd.service.in index c0d63f5c70..6226ab7a40 100644 --- a/units/systemd-timesyncd.service.in +++ b/units/systemd-timesyncd.service.in @@ -22,6 +22,10 @@ Wants=time-set.target AmbientCapabilities=CAP_SYS_TIME BusName=org.freedesktop.timesync1 CapabilityBoundingSet=CAP_SYS_TIME +# Turn off DNSSEC validation for hostname look-ups, since those need the +# correct time to work, but we likely won't acquire that without NTP. Let's +# break this chicken-and-egg cycle here. +Environment=SYSTEMD_NSS_RESOLVE_VALIDATE=0 ExecStart=!!@rootlibexecdir@/systemd-timesyncd LockPersonality=yes MemoryDenyWriteExecute=yes |