> On 7 Aug 2023, at 12:02, Rubens Kuhl <rube...@gmail.com> wrote:
>
>
>
> On Sun, Aug 6, 2023 at 8:20 PM Mel Beckman <m...@beckman.org> wrote:
> Or one can read recent research papers that thoroughly document the
> incredible fragility of the existing NTP hierarchy and soberly consider their
> recommendations for remediation:
>
> The paper suggests the compromise of critical infrastructure. So, besides not
> using NTP, why not stop using DNS ? Just populate a hosts file with all you
> need.
Well DNS can be cryptographically secured. There really isn’t any good reasons
to not sign your zones today. The majority of responses from authoritative
servers are validated today so if you sign the responses will be checked.
Unfortunately most to those validations still result in insecure instead of
secure because people are not signing their zones.
> BTW, the stratum-0 source you suggested is known to have been manipulated in
> the past (https://www.gps.gov/systems/gps/modernization/sa/), so you need to
> bet on that specific state actor not returning to old habits.
>
> OTOH, 4 of the 5 servers I suggested have their own atomic clock, and you can
> keep using GPS as well. If GPS goes bananas on timing, that source will just
> be disregarded (one of the features of the NTP architecture that has been
> pointed out over and over in this thread and you keep ignoring it).
>
> Rubens
--
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742 INTERNET: ma...@isc.org
