(Again from an address that can email the list...)
> On Mar 11, 2020, at 16:40, Ask Bjørn Hansen <ask@ntp...> wrote: > > > I haven’t carefully weighed the pros and cons, but variations on the > following is what I have considered. I don’t know that they’d work as the RFC > has been described. Past suggestions of different people to consider “pool > support” wasn’t really picked up. > > SRV records with server names then used in the KE. > Server names would be in a pool controlled DNS name or an operator controlled > one. The pool controlled one seems more sustainable because we are pretty > good at DNS. > Operator could get the cert from letsencrypt or similar or > Better: get the cert from a “pool CA” that the client is configured to trust. > This would let the pool issue short lived certificates and make better > (easier) tooling for operators. > Of course the pool could also use letsencrypt to issue certs with DNS > validation and thus let operators have easier tooling to use (and if > letsencrypt allow you to make shorter lived certs that’d work too. > > The main benefit of a pool CA would be knowing the answer is a pool server > without needing DNSSEC. > > (I feel DNSSEC should be done anyway, but the usual arguments around client > support plus that it’d be significantly more bandwidth and resources on the > relatively puny DNS servers). > > > Ask >> On Mar 11, 2020, 16:30 -0500, Hal Murray <[email protected]>, wrote: >> >> The RFC is close to getting published. >> >> Do you know about it? Any thoughts about how to get the pool to support it? >> >> In case you and/or others aren't familiar with it, here is a rough >> description. Details here: >> https://datatracker.ietf.org/doc/draft-ietf-ntp-using-nts-for-ntp/ >> >> The idea is to prevent bad guys from forging replies. It doesn't say anything >> about the server you are talking to providing good time, just that the answer >> came from the server you expect. >> >> It uses a TLS connection to a NTS-KE server to get several cookies and setup >> encryption keys. Then individual NTP request/response packets are >> authenticated. >> >> The NTS-KE server needs a certificate. Let's Encrypt works fine. >> >> TLS uses TCP and the client needs the host name as used in the certificate. >> So the pool will have to return something other than A or AAAA records. >> >> >> There was some discussion on the IETF NTP list a few weeks ago. No consensus >> was reached. >> >> Subject: [Ntp] NTP pool and NTS brainstorming >> https://mailarchive.ietf.org/arch/msg/ntp/RlWnEHLUQL67cW_foXIT3KhkXeE/ >> >> Subject: [Ntp] Draft on using NTS with the pool >> https://mailarchive.ietf.org/arch/msg/ntp/zokbJFLAxlSPqJcuMEteT_AL8gA/ >> >> -- >> These are my opinions. I hate spam. >> >> >> _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
