On Wed, Mar 18, 2020 at 11:20:18AM -0600, Ask Bjørn Hansen wrote: > On Mar 12, 2020, at 9:54, Miroslav Lichvar <[1][email protected]> > wrote: > - clients only trusting a pool certificate authority (that only issues > short lived certs for [2]x.nts.ntppool.org or some such). With this > you don't need anything in dns and a mitm attacker at least need to be > registered in the pool. > > Would the servers be able to MITM attack connections to other servers? > > No, "x" would be unique per server (the server ID, a hash of the IP, ...).
That means the NTS client needs to be configured with this name, or get it from SRV, right? If the client checked that it is a subdomain of the domain specified in the configuration file, it would't need to rely on DNSSEC? Just trying to make sure I understand it correctly. -- Miroslav Lichvar _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
