> SRV records with server names then used in the KE. I think that works. Unfortunately, there is no POSIX API for SRV.
It needs DNSSEC or something equivalent. You said "shorter lived certs" a couple of times. Are you thinking of short enough to cover temporarily removing servers with bad time from the pool? If so, that won't work. If all goes well, the NTS-KE step is very rare. The client gets 8 cookies. Each NTP exchange uses a cookie and gets back a new cookie. If an occasional packet is lost, the client can ask for extras. The NTP side just keeps running if the server's certificate expires. > Operator could get the cert from letsencrypt or similar or > Better: get the cert from a âpool CAâ that the client is configured to > trust. > This would let the pool issue short lived certificates and make better > (easier) tooling for operators. I don't think the pool wants to get into the certificate business. It might help the pool server operators a bit, but it will add a step for the clients. Let's Encrypt is in the root cert collection distributed by most OSes/distros. So all the client has to do is add "nts" to the "server foo.example.com" line in their config file. Certificates from Let's Encrypt are not setup to sign other certificates. -- These are my opinions. I hate spam.
_______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
