Some of my Raspberry PIs are offline for some days/weeks. After that the system time is off big time.
I thought: We have systemd-timesyncd. That should be fixed after a few minutes. But DNSSEC doesn't work when the time is off this much.
ping google.com results in
ping: google.com: Name or service not known
But dig works. (When you have it installed! Not the default on archlinuxarm.)
The log in the systemd journal helps here:
DNSSEC validation failed for question google.com IN A: signature-expired
And the same for all the ntp domains:
DNSSEC validation failed for question ntp.org IN DS: no-signature
a) use an IP address in
Add some of the ntp ip addresses to /etc/systemd/timesyncd.conf
NTP=18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52
After that restart timesyncd with
systemctl restart systemd-timesyncd.
But the timesyncd always gets a time out:
systemd-timesyncd: Timed out waiting for reply from 184.108.40.206:123 (220.127.116.11).
b) disable dnssec in
Add this line at the end of /etc/systemd/resolved.conf:
After that restart resolved with
systemctl restart systemd-resolved.
And after some minutes and the next update from timesyncd you have the correct system time again.
Disabling DNSSEC is not what I wanted, but atm I don't see another way to solve this reliably.