IPfire core 176 on RPI (Raspberry PI SBC, aarch64). My RPI has no RTC, so time is not preserved when device is off. My RPI was off for a week (well, it was not off but it was not running IPfire).
I wanted to test update from core 176 to new 177 but it was not working. I have found that DNS doesn’t work. I was able to ping to IP address but when I tried to use domainname, I received SERVFAIL error.
My RPI with IPfire has IP address 192.168.111.1 and is configured to connect to gateway with IPfire (192.168.222.1), it receives DNS server with reply from DHCP server (use ISP assigned DNS). It works, red interface was working but no DNS. Main gateway with IPfire connects to public DNS server with DoT (DNS over TLS) but RPI with IPfire uses only DNS over UDP…
Current date is 2023-08-07 but RPI time was 2023-08-04. I do not know what is source of this date, maybe it is the last time when IPfire was running on this RPI and this timesatmp was saved to filesystem. I noticed that ntpdate during boot failed, IPfire was not able to resolve 0.ipfire.pool.ntp.org…
Once I checked /var/log/messages, I found messages from unbound that it receives invalid replies from DNS server, some issue with timestamp…
Once I fixed time at RPI, DNS start to work…
SUMMARY. When time is not right at RPI, DNS doesn’t work, because “signed” DNS replies are invalid. RPI doesn’t have RTC backed by battery so it has to fetch time during boot. When NTP “parent” server is specified as domain name, synchronization could fail and when it happens, DNS doesn’t work… 
Workarround could be to define one NTP server with IP address.
Several messages from /var/log/messages
01:35:42 unbound: [1593:0] info: validation failure <0.ipfire.pool.ntp.org. AAAA IN>: key for validation org. is marked as invalid
01:35:42 unbound: [1593:0] info: validation failure <0.ipfire.pool.ntp.org.localdomain. A IN>: signature before inception date from 192.168.222.1 for <. SOA IN>
01:35:42 unbound: [1593:0] info: validation failure <0.ipfire.pool.ntp.org.localdomain. AAAA IN>: signature before inception date from 192.168.222.1 for <. NSEC IN>
01:35:42 unbound: [1593:0] info: validation failure <1.ipfire.pool.ntp.org. AAAA IN>: key for validation org. is marked as invalid
01:35:42 unbound: [1593:0] info: validation failure <1.ipfire.pool.ntp.org.localdomain. A IN>: signature before inception date from 192.168.222.1 for <. NSEC IN>
01:35:42 unbound: [1593:0] info: validation failure <1.ipfire.pool.ntp.org.localdomain. AAAA IN>: signature before inception date from 192.168.222.1 for <. NSEC IN>
01:36:24 unbound: [1593:0] info: validation failure <ftp.fau.de. A IN>: signature before inception date from 192.168.222.1 for DS de. while building chain of trust
01:36:24 unbound: [1593:0] info: validation failure <ftp.fau.de.localdomain. A IN>: signature before inception date from 192.168.222.1 for <. NSEC IN>
01:36:25 unbound: [1593:0] info: validation failure <mirror1.ipfire.org. A IN>: key for validation org. is marked as invalid
01:36:25 unbound: [1593:0] info: validation failure <mirror1.ipfire.org.localdomain. A IN>: signature before inception date from 192.168.222.1 for <. NSEC IN>
01:36:33 unbound: [1593:0] info: validation failure <0.ipfire.pool.ntp.org. A IN>: key for validation org. is marked as invalid
01:36:33 unbound: [1593:0] info: validation failure <1.ipfire.pool.ntp.org. A IN>: key for validation org. is marked as invalid
One more note. I tried to get IP address with host utility and it was working when I connected to 192.168.222.1 (host 0.ipfire.pool.ntp.org. 192.168.222.1) but failed when I used localhost, the default (host 0.ipfire.pool.ntp.org.). So DNS replies were rejected by unbound daemon that validates replies…
Can be replicated with core 177. Set time to the past:
[root@rpifire ~]# date -s "2023-08-04"
reboot…
[root@rpifire ~]# date
Fri Aug 4 12:02:55 AM CEST 2023
[root@rpifire ~]# host pool.ntp.org
Host pool.ntp.org not found: 2(SERVFAIL)
[root@rpifire ~]# host pool.ntp.org 192.168.222.1
Using domain server:
Name: 192.168.222.1
Address: 192.168.222.1#53
Aliases:
pool.ntp.org has address 81.27.192.20
pool.ntp.org has address 37.187.104.44
pool.ntp.org has address 213.192.54.227
pool.ntp.org has address 162.159.200.1
Time cannot be fixed:
[root@rpifire ~]# /etc/init.d/ntp stop
Stopping ntpd... [ OK ]
[root@rpifire ~]# date
Fri Aug 4 12:29:54 AM CEST 2023
[root@rpifire ~]# /etc/init.d/ntp start
Setting time on boot...
Error resolving 0.ipfire.pool.ntp.org: Name or service not known (-2)
Error resolving 1.ipfire.pool.ntp.org: Name or service not known (-2) [ OK ]
Starting ntpd... [ OK ]
[root@rpifire ~]# date
Fri Aug 4 12:30:10 AM CEST 2023
When one NTP server is defined with IP address (like 162.159.200.1), time can be fixed:
[root@rpifire ~]# cat /var/ipfire/time/settings
UPDATE_VALUE=1
ENABLENTP=on
UPDATE_PERIOD=daily
NTP_ADDR_2=162.159.200.1
UPDATE_METHOD=periodically
NTP_ADDR_1=0.ipfire.pool.ntp.org
VALID=yes
ENABLECLNTP=on
ENABLESETONBOOT=on
[root@rpifire ~]# date
Fri Aug 4 12:00:23 AM CEST 2023
[root@rpifire ~]# /etc/init.d/ntp restart
Stopping ntpd... [ OK ]
Setting time on boot...
hwclock: Cannot access the Hardware Clock via any known method.
hwclock: Use the --verbose option to see the details of our search for an access method. [ OK ]
Starting ntpd... [ OK ]
[root@rpifire ~]# date
Mon Aug 7 06:56:04 AM CEST 2023
When RPI has no RTC clock module, then hwclock fails:
[root@rpifire ~]# hwclock --verbose
hwclock from util-linux 2.39.1
System Time: 1691384295.133804
Trying to open: /dev/rtc0
Trying to open: /dev/rtc
Trying to open: /dev/misc/rtc
No usable clock interface found.
hwclock: Cannot access the Hardware Clock via any known method.