On Thu, Mar 12, 2020 at 01:56:47AM -0700, Hal Murray wrote: > I think the way to use DNSSEC is to setup a local caching resolver that uses > DNSSEC and edit your local /etc/resolv to point to it rather than whatever > they are currently using.
Yes, but how will the NTS client know the hostname from the SRV record was actually validated? There are all kind of issues with DNS configuration. It may be accidentally misconfigured or disabled, e.g. different programs managing /etc/resolv.conf. This will lead to a false sense of security. > > - not always available (e.g. DNS blocked to Internet and local servers > > don't support it) > > If that's happening, then the current pool approach won't work. I mean the local servers may not support the DNSSEC-specific records. Plain NTP would work. > Does anybody know of a good library package that supports DNSSEC? libunbound is a popular resolver with DNSSEC support. -- Miroslav Lichvar _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
