This is an ongoing problem which probably started when dnssec was added to resolved.
What happens: I have an image and burn it to a new SD card and try to boot my RPi (B1, ZeroW,B2,B3,B4). It boots but cannot reach any server by name. No ping, no wget... I can ping the IP address, though, as the internet is up.
I think the problem is that resolved starts before timesyncd runs and when timesyncd tries to set the time, it tries a names time server and the time stamps on the DNS lookup and response differ and it is rejected. Hence, no timesync.
The workaround is to disable DNSSEC from resolved by adding this to /etc/systemd/resolved.conf
$this->bbcode_second_pass_code('', 'DNSSEC = no')
and reboot. After rebooting, resolved will not use DNSSEC and timesyncd will find the time server and sync the time. Now all lookups start working, but DNSSEC is off. If the Pi is mostly on, you can go back and comment out that line in resolved.conf and reboot and now DNSSEC will work just fine (it does for me).
I do not know how to 'fix' this permanently, but it seems that all RTC-less devices (RPIs, BB?, etc.) can have this issue if they are powered down for a while -OR- devices with RTC that have not yet had their time set will probably also have this issue on first boot.
My guess is that the arch-chroot install image has DNSSEC turned off for the installation, but I have not checked that. I have never had this issue when installing from 'scratch' only when I take a prepared image and put it in a different device. Is there a better work-around? There are a number of threads discussing this and all seem to have been resolved by this work-around with DNSSEC. It feels that there should be some fix for either timesyncd (hard coded IP addresses for timesyncd?) or resolved to allow timesync queries to pass without DNSSEC.
These threads, for example discuss it:
https://archlinuxarm.org/forum/viewtopic.php?f=9&t=14056&p=62406&hilit=DNSSEC#p62406
https://archlinuxarm.org/forum/viewtopic.php?f=9&t=14044
https://archlinuxarm.org/forum/viewtopic.php?f=15&t=14188&start=10
https://madflex.de/posts/raspberry-dns-problems-with-archlinuxarm-and-dnssec/
How to fix the tImesyncd issue at the root of DNSSEC on RPi?
1 post
• Page 1 of 1
How to fix the tImesyncd issue at the root of DNSSEC on RPi?
by keithspg » Sat Apr 25, 2020 3:29 pm
- keithspg
- Posts: 221
- Joined: Mon Feb 23, 2015 4:14 pm
1 post
• Page 1 of 1
Who is online
Users browsing this forum: No registered users and 15 guests