mirror of
https://github.com/systemd/systemd-stable.git
synced 2024-12-22 13:33:56 +03:00
units: turn off DNSSEC validation when timesyncd resolves hostnames
We have a chicken and egg problem: validation of DNSSEC signatures doesn't work without a correct clock, but to set the correct clock we need to contact NTP servers which requires resolving a hostname, which would normally require DNSSEC validation. Let's break the cycle by excluding NTP hostname resolution from validation for now. Of course, this leaves NTP traffic unprotected. To cover that we need NTPSEC support, which we can add later. Fixes: #5873 #15607
This commit is contained in:
parent
aee9d18c8d
commit
abf4e5c1d3
@ -22,6 +22,10 @@ Wants=time-set.target
|
||||
AmbientCapabilities=CAP_SYS_TIME
|
||||
BusName=org.freedesktop.timesync1
|
||||
CapabilityBoundingSet=CAP_SYS_TIME
|
||||
# Turn off DNSSEC validation for hostname look-ups, since those need the
|
||||
# correct time to work, but we likely won't acquire that without NTP. Let's
|
||||
# break this chicken-and-egg cycle here.
|
||||
Environment=SYSTEMD_NSS_RESOLVE_VALIDATE=0
|
||||
ExecStart=!!@rootlibexecdir@/systemd-timesyncd
|
||||
LockPersonality=yes
|
||||
MemoryDenyWriteExecute=yes
|
||||
|
Loading…
Reference in New Issue
Block a user