Hi Hal, On 2020-03-11 22:30, Hal Murray wrote: > The RFC is close to getting published. > > Do you know about it? Any thoughts about how to get the pool to support it? > > In case you and/or others aren't familiar with it, here is a rough > description. Details here: > https://datatracker.ietf.org/doc/draft-ietf-ntp-using-nts-for-ntp/ > > The idea is to prevent bad guys from forging replies. It doesn't say > anything > about the server you are talking to providing good time, just that the answer > came from the server you expect. > > It uses a TLS connection to a NTS-KE server to get several cookies and setup > encryption keys. Then individual NTP request/response packets are > authenticated. > > The NTS-KE server needs a certificate. Let's Encrypt works fine. > > TLS uses TCP and the client needs the host name as used in the certificate. > So the pool will have to return something other than A or AAAA records.
Sorry for my ignorance of not reading and checking, but a quick lackmus test question: Have you considered use of DNSSEC, CA and DANE records? That provides a independent verification path. Cheers, Magnus _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
