On Fri, 16 Oct 2020 11:46:31 -0700 Jordan Geoghegan <jor...@geoghegan.ca> wrote:
> Not exactly, there are no NTP servers running over HTTP, it's a > similar concept to the tlsdate util [1]. OK but you still need to connect to some server, be it NTP or HTTPS in order to get the initial time. If you can't rely on DNS (and you don't want to dynamically modify DNS server/resolver config to ignore clock skew), then you still have to hard code IP address somewhere. This was one of the objections raised by some people on this list, as they didn't want to use IP address for some reason. In this case, why bother with HTTPS when you could use IP address for a real NTP server? NTP security is currently being addressed with NTS (Network Time Security) protocol extensions: https://blog.cloudflare.com/secure-time/ https://blog.apnic.net/2019/11/08/network-time-security-new-ntp-authentication-mechanism/ NetBSD (and others) need NTS capable client as part of the base OS and then people like CloudFlare need to provide NTS capable time servers (which they may already do) via stable IP addresses that never change, similar to their DNS servers. NTS is still at the draft stage, but this is probably the best purpose-built solution for authenticating (and not necessary encrypting) NTP traffic.
