#!/bin/sh # # PROVIDE: ntpd_bootstrap # REQUIRE: netif ppp # BEFORE: resolv # KEYWORD: nojail resume shutdown # BEGIN addition to /etc/defaults/rc.conf ### Network Time Bootstrapping options: ### ntp_bootstrap_enable="YES" # Bootstrap NTP with pre-resolved FQDNs, if needed ntp_bootstrap_pool="0.freebsd.pool.ntp.org" # Bootstrap NTP with some addresses used by pool ntp_bootstrap_roots="216.239.35.0 2001:4860:4806:: 162.159.200.123 2606:4700:f1::123" # Google and CloudFlare public NTP servers ntp_bootstrap_list="/var/db/ntp_bootstrap_list" # Up-to-date list of bootstrap servers ntp_bootstrap_flags="-GNgq" # Flags to ntpd_program for bootstrap mode # END addition to /etc/defaults/rc.conf name="ntp_bootstrap" desc="Network Time Protocol Bootstrap" rcvar="ntp_bootstrap_enable" start_cmd="ntp_bootstrap_start" stop_cmd=":" . /etc/rc.conf load_rc_config $name : ${drill_program:=/usr/bin/drill} # Check if simple DNSSEC request returns some A records dnssec_working() { local _n # Make sure it has final dot. _n=${ntp_bootstrap_pool#.}. $drill_program A $_n | ( e=1 while read fqdn ttl i a address do [ $_n = "$fqdn" ] || continue echo -n "$address " e=0 done return $e ) } ntp_bootstrap_check() { local _alist if _alist=$(dnssec_working); then echo "$_alist" > ${ntp_bootstrap_list}.tmp && \ mv ${ntp_bootstrap_list}.tmp ${ntp_bootstrap_list} return 0 fi return 1 } ntp_bootstrap_start() { local _alist # Do nothing if NTP is not used checkyesno ntpd_enable || checkyesno ntpdate_enable || return 0 [ -z "$ntp_bootstrap_pool" ] && return 0 # If DNSSEC already works, just update our list and finish. ntp_bootstrap_check && return 0 # DNSSEC does not work. Try to sync time with pre-resolved server addresses. read _alist < $ntp_bootstrap_list 2>/dev/null && [ -n "$_alist" ] || \ _alist="$ntp_bootstrap_roots" $ntpd_program $ntp_bootstrap_flags $_alist # If we got it finally, update our list for future calls. ntp_bootstrap_check } run_rc_command "$1"