Re: NTP through DNS?

[Bob McDonald]

Having multiple CNAME records for the same hsotname is a violation of
rfc1034. (that and bind9 won't allow it...)

Surely there must be some creative solution which doesn't a) violate the
DNS specs and b) doesn't suggest the use of deprecated software (bind8).

Regards,

Bob
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Chris Thompson]

On Sep 24 2018, Danny Mayer wrote:
[...]

This is very simple to do. It does not require SRV records to implement.
Note that I am only answering for the ntp reference implementation.

In your domain file add entries like this:

locationntp CNAME ntp1.yourdomain
CNAME ntp2.yourdomain
CNAME externalntp.otherdomain
CNAME externalntp.someotherdomain


Assuming that you are running name server software that actually allows
you to have several CNAMEs with the same label, of course.

BIND8 with "multiple-cnames yes", perhaps? :-)

--
Chris Thompson
Email: c...@cam.ac.uk
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Matus UHLAR - fantomas]

* hell, the topic is "is ntp autodiscovery possible?"

   ^

* so the whole answer to the thread is simply "no"



"NTP can use the CNAME records" makes no sense at all in this topic



On 9/22/2018 9:50 AM, Reindl Harald wr ote:

the topic is not about what NTP can use, the topic is about unconfigured
machines *finding* the NTP server in the local network without any

 ^^^

manually configuration - not more, mot less

  ^^
On 24.09.18 10:00, Danny Mayer wrote:

In your domain file add entries like this:


this is called local configuration.


Simple enough?


No. It requires local configuration of NTP server.
in that case, DNS-side solution is useless.

--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Danny Mayer]

On 9/22/2018 9:30 AM, Matus UHLAR - fantomas wrote:
 On 9/21/2018 3:57 PM, Mauricio Tavares wrote:
>   But that is not, as Ray said, automated discovery. You are
> asking the computer to make assumptions, i.e. "if I am in domain
> hey.com, the ntp is ntp.hey.com." I am more on the lines of "hey
> domain thingie. You know where a lot of your basic network resources
> are. If you have a ntp server do you know where it is just like you
> know where your mail, LDAP, and kerbie servers are hiding?"
> 
>>> Am 21.09.18 um 22:19 schrieb Danny Mayer:
 That's not what I wrote. Someone needs to maintain an SRV record. It's
 not a good idea for domains to announce their NTP servers since they
 can
 be abused by others not authorized to use them. We've had plenty of
 abuse along those lines along with DDOS attacks. What the ntp CNAME
 would do is point to a number of other servers to use and you don't
 need
 to call it ntp, it's just a string.
> 
>> On 9/21/2018 6:33 PM, Reindl Harald wrote:
>>> but *nobody* cares about what is a good idea when the question was
>>> simply "does ntp discovery work" where the answer is simply no
> 
> On 21.09.18 21:39, Danny Mayer wrote:
>> No, that's not true. Consider what you are doing. You are substituting
>> SRV records for CNAME records. There is nothing magical here. NTP can
>> use the CNAME records. Either way the records have to be configured.
>> What do you think you are discovering? SRV records aren't magic.
> 
> The OP request indicated that they wish for ntp autoconfiguration. 
> There is
> no autoconfiguration we know of, unless DHCP that was reported often not to
> work.
> 

I worked with the DHCP working group a number of years ago to add
options for ntp configuration. The RFC has been released but I don't
have that ID handy. I have no idea whether any DHCP implementation is
using it today.

> using either CNAME or SRV records won't change the fact that ntp server
> does
> not autoconfigure itself.
> 
> Neither of them also changes the fact that the NTP configuration is not
> related to domain, but to the local network.
>

Doesn't matter. The pool configuration option works like the server
option but sets up all of the servers that it finds rather than just
taking the first one on the list.

pool ntplist.yourdomain iburst

in your ntp.conf file works really well.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Danny Mayer]

On 9/22/2018 9:50 AM, Reindl Harald wrote:
> 
> 
> Am 22.09.18 um 03:39 schrieb Danny Mayer:
>>> but *nobody* cares about what is a good idea when the question was
>>> simply "does ntp discovery work" where the answer is simply no
>>
>> No, that's not true. Consider what you are doing. You are substituting
>> SRV records for CNAME records. There is nothing magical here. NTP can
>> use the CNAME records. Either way the records have to be configured.
>> What do you think you are discovering? SRV records aren't magic
> 
> * hell, the topic is "is ntp autodiscovery possible?"
> * that's done with SRV records for supported services
> * but nothing is using them in case of NTP
> * so the whole answer to the thread is simply "no"
> 
> "NTP can use the CNAME records" makes no sense at all in this topic
> 
> the topic is not about what NTP can use, the topic is about unconfigured
> machines *finding* the NTP server in the local network without any
> manually configuration - not more, mot less

This is very simple to do. It does not require SRV records to implement.
Note that I am only answering for the ntp reference implementation.

In your domain file add entries like this:

locationntp CNAME ntp1.yourdomain
CNAME ntp2.yourdomain
CNAME externalntp.otherdomain
CNAME externalntp.someotherdomain

In your ntp.conf file put the following line:
pool locationntp.yourdomain

This will cause it to use ALL of the entries listed. You can have as
many as 10 entries in your DNS and it will use all of them. Don't use
less than 3, 4 is better.

Simple enough?

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Dave Warren]

On Sun, Sep 23, 2018, at 03:24, Ray Bellis wrote:
> On 22/09/2018 02:39, Danny Mayer wrote:
> 
> > No, that's not true. Consider what you are doing. You are substituting
> > SRV records for CNAME records. There is nothing magical here. NTP can
> > use the CNAME records. Either way the records have to be configured.
> > What do you think you are discovering? SRV records aren't magic.
> 
> SRV records aren't magic, but they are an "approved" way of discovering
> services.

If you have a domain, yes. But it doesn't help with network based autodiscovery 
in a meaningful way. I would argue DHCP is the correct answer (even if it 
points to DNS and uses SRV records, the process starts with DHCP). But we also 
know that many clients don't use DHCP provided NTP servers, so split view DNS 
records are the only real practical solution that is client-independent, noting 
that it still needs some initial client configuration.


> We've all seen what happened with the convention of "www." to "discover"
> the HTTP service on a domain and how the (marketing folks) desire to
> drop that has caused no end of CNAME related issues...

Doesn't this predate SRV records?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Ray Bellis]

On 22/09/2018 02:39, Danny Mayer wrote:

> No, that's not true. Consider what you are doing. You are substituting
> SRV records for CNAME records. There is nothing magical here. NTP can
> use the CNAME records. Either way the records have to be configured.
> What do you think you are discovering? SRV records aren't magic.

SRV records aren't magic, but they are an "approved" way of discovering
services.

We've all seen what happened with the convention of "www." to "discover"
the HTTP service on a domain and how the (marketing folks) desire to
drop that has caused no end of CNAME related issues...

Ray

___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Andrew Latham]

chrony does today btw

   - debian/chrony-helper:
  - New helper script to make use of NTP servers obtained from DHCP and
   _ntp._udp DNS SRV records.


On Sat, Sep 22, 2018 at 8:31 AM Matus UHLAR - fantomas 
wrote:

> >>> On 9/21/2018 3:57 PM, Mauricio Tavares wrote:
>    But that is not, as Ray said, automated discovery. You are
>  asking the computer to make assumptions, i.e. "if I am in domain
>  hey.com, the ntp is ntp.hey.com." I am more on the lines of "hey
>  domain thingie. You know where a lot of your basic network resources
>  are. If you have a ntp server do you know where it is just like you
>  know where your mail, LDAP, and kerbie servers are hiding?"
>
> >> Am 21.09.18 um 22:19 schrieb Danny Mayer:
> >>> That's not what I wrote. Someone needs to maintain an SRV record. It's
> >>> not a good idea for domains to announce their NTP servers since they
> can
> >>> be abused by others not authorized to use them. We've had plenty of
> >>> abuse along those lines along with DDOS attacks. What the ntp CNAME
> >>> would do is point to a number of other servers to use and you don't
> need
> >>> to call it ntp, it's just a string.
>
> >On 9/21/2018 6:33 PM, Reindl Harald wrote:
> >> but *nobody* cares about what is a good idea when the question was
> >> simply "does ntp discovery work" where the answer is simply no
>
> On 21.09.18 21:39, Danny Mayer wrote:
> >No, that's not true. Consider what you are doing. You are substituting
> >SRV records for CNAME records. There is nothing magical here. NTP can
> >use the CNAME records. Either way the records have to be configured.
> >What do you think you are discovering? SRV records aren't magic.
>
> The OP request indicated that they wish for ntp autoconfiguration.  There
> is
> no autoconfiguration we know of, unless DHCP that was reported often not to
> work.
>
> using either CNAME or SRV records won't change the fact that ntp server
> does
> not autoconfigure itself.
>
> Neither of them also changes the fact that the NTP configuration is not
> related to domain, but to the local network.
>
>
> --
> Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
> Warning: I wish NOT to receive e-mail advertising to this address.
> Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
> Chernobyl was an Windows 95 beta test site.
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Matus UHLAR - fantomas]

On 9/21/2018 3:57 PM, Mauricio Tavares wrote:

  But that is not, as Ray said, automated discovery. You are
asking the computer to make assumptions, i.e. "if I am in domain
hey.com, the ntp is ntp.hey.com." I am more on the lines of "hey
domain thingie. You know where a lot of your basic network resources
are. If you have a ntp server do you know where it is just like you
know where your mail, LDAP, and kerbie servers are hiding?"



Am 21.09.18 um 22:19 schrieb Danny Mayer:

That's not what I wrote. Someone needs to maintain an SRV record. It's
not a good idea for domains to announce their NTP servers since they can
be abused by others not authorized to use them. We've had plenty of
abuse along those lines along with DDOS attacks. What the ntp CNAME
would do is point to a number of other servers to use and you don't need
to call it ntp, it's just a string.



On 9/21/2018 6:33 PM, Reindl Harald wrote:

but *nobody* cares about what is a good idea when the question was
simply "does ntp discovery work" where the answer is simply no


On 21.09.18 21:39, Danny Mayer wrote:

No, that's not true. Consider what you are doing. You are substituting
SRV records for CNAME records. There is nothing magical here. NTP can
use the CNAME records. Either way the records have to be configured.
What do you think you are discovering? SRV records aren't magic.


The OP request indicated that they wish for ntp autoconfiguration.  There is
no autoconfiguration we know of, unless DHCP that was reported often not to
work.

using either CNAME or SRV records won't change the fact that ntp server does
not autoconfigure itself.

Neither of them also changes the fact that the NTP configuration is not
related to domain, but to the local network.


--
Matus UHLAR - fantomas, uh...@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Danny Mayer]

On 9/21/2018 6:33 PM, Reindl Harald wrote:
> 
> 
> Am 21.09.18 um 22:19 schrieb Danny Mayer:
>> On 9/21/2018 3:57 PM, Mauricio Tavares wrote:
> The discussion was about automated _discovery_ of the DNS name of your
> NTP server using an additional level of indirection so that it can be
> automatically configured without using DHCP.

 That's easy. Create a FQDN called ntp in your domain and have it be a
 set of CNAMES pointing to the ntp servers you want to use. The ntpd pool
 option will take care of setting the multiple servers. You don't need
 the complexity of SRV records.

>>>   But that is not, as Ray said, automated discovery. You are
>>> asking the computer to make assumptions, i.e. "if I am in domain
>>> hey.com, the ntp is ntp.hey.com." I am more on the lines of "hey
>>> domain thingie. You know where a lot of your basic network resources
>>> are. If you have a ntp server do you know where it is just like you
>>> know where your mail, LDAP, and kerbie servers are hiding?"
>>
>> That's not what I wrote. Someone needs to maintain an SRV record. It's
>> not a good idea for domains to announce their NTP servers since they can
>> be abused by others not authorized to use them. We've had plenty of
>> abuse along those lines along with DDOS attacks. What the ntp CNAME
>> would do is point to a number of other servers to use and you don't need
>> to call it ntp, it's just a string.
> 
> but *nobody* cares about what is a good idea when the question was
> simply "does ntp discovery work" where the answer is simply no

No, that's not true. Consider what you are doing. You are substituting
SRV records for CNAME records. There is nothing magical here. NTP can
use the CNAME records. Either way the records have to be configured.
What do you think you are discovering? SRV records aren't magic.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Danny Mayer]

On 9/21/2018 3:57 PM, Mauricio Tavares wrote:
> On Fri, Sep 21, 2018 at 3:14 PM, Danny Mayer  wrote:
>> On 9/21/2018 7:56 AM, Ray Bellis wrote:
>>> On 21/09/2018 12:47, Danny Mayer wrote:
>>>
 Putting on both my BIND9 and NTP hats for a moment:

 This answer makes no sense. NTP uses standard DNS FQDN's for all of its
 references to NTP servers whether it's using pool, server or peer. I
 have no idea where the reverse zone comes in though I haven't read the
 whole thread. the NTP service all belong to domains, whether internal or
 external. There is a DHCP option that we have seen but it seems to cause
 more confusion that anything.

 You can create a DNS A or  or even a CNAME in your local DNS that
 the NTP server can use and it all works.

 Let me know if I misunderstood what this is really about.
>>>
>>> I believe you have.
>>>
>>> The discussion was about automated _discovery_ of the DNS name of your
>>> NTP server using an additional level of indirection so that it can be
>>> automatically configured without using DHCP.
>>
>> That's easy. Create a FQDN called ntp in your domain and have it be a
>> set of CNAMES pointing to the ntp servers you want to use. The ntpd pool
>> option will take care of setting the multiple servers. You don't need
>> the complexity of SRV records.
>>
>   But that is not, as Ray said, automated discovery. You are
> asking the computer to make assumptions, i.e. "if I am in domain
> hey.com, the ntp is ntp.hey.com." I am more on the lines of "hey
> domain thingie. You know where a lot of your basic network resources
> are. If you have a ntp server do you know where it is just like you
> know where your mail, LDAP, and kerbie servers are hiding?"

That's not what I wrote. Someone needs to maintain an SRV record. It's
not a good idea for domains to announce their NTP servers since they can
be abused by others not authorized to use them. We've had plenty of
abuse along those lines along with DDOS attacks. What the ntp CNAME
would do is point to a number of other servers to use and you don't need
to call it ntp, it's just a string.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Warren Kumari]

On Fri, Sep 21, 2018 at 7:57 AM Danny Mayer  wrote:

> On 9/19/2018 10:12 AM, Andrew Latham wrote:
> > You can add SRV records for NTP to your domain if that is what you are
> > asking.
> >
>
> NTP doesn't use SRV records and I don't see a use case to do so.
>

Well, apparently at one point you did :-) --
http://lists.ntp.org/pipermail/questions/2004-December/003645.html

It seems that FreeIPA does actually use SRV for NTP (
https://www.redhat.com/archives/freeipa-users/2014-August/msg00254.html)
It shows up in various other FreeIPA discussion and some mentions of is
being used with NetApp.


W


Therefore I have no idea why this would be any benefit. You can add NTP
> specific FQDN's as A or  or CNAME records if that would be helpful.
>
> Danny
>
> > On Wed, Sep 19, 2018 at 9:09 AM Mauricio Tavares  > > wrote:
> >
> > Stupid question: can I publish/query the NTP server through DNS the
> > same way I can ask who is doing LDAP?
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
   ---maf
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Mauricio Tavares]

On Fri, Sep 21, 2018 at 3:14 PM, Danny Mayer  wrote:
> On 9/21/2018 7:56 AM, Ray Bellis wrote:
>> On 21/09/2018 12:47, Danny Mayer wrote:
>>
>>> Putting on both my BIND9 and NTP hats for a moment:
>>>
>>> This answer makes no sense. NTP uses standard DNS FQDN's for all of its
>>> references to NTP servers whether it's using pool, server or peer. I
>>> have no idea where the reverse zone comes in though I haven't read the
>>> whole thread. the NTP service all belong to domains, whether internal or
>>> external. There is a DHCP option that we have seen but it seems to cause
>>> more confusion that anything.
>>>
>>> You can create a DNS A or  or even a CNAME in your local DNS that
>>> the NTP server can use and it all works.
>>>
>>> Let me know if I misunderstood what this is really about.
>>
>> I believe you have.
>>
>> The discussion was about automated _discovery_ of the DNS name of your
>> NTP server using an additional level of indirection so that it can be
>> automatically configured without using DHCP.
>
> That's easy. Create a FQDN called ntp in your domain and have it be a
> set of CNAMES pointing to the ntp servers you want to use. The ntpd pool
> option will take care of setting the multiple servers. You don't need
> the complexity of SRV records.
>
  But that is not, as Ray said, automated discovery. You are
asking the computer to make assumptions, i.e. "if I am in domain
hey.com, the ntp is ntp.hey.com." I am more on the lines of "hey
domain thingie. You know where a lot of your basic network resources
are. If you have a ntp server do you know where it is just like you
know where your mail, LDAP, and kerbie servers are hiding?"


> Danny
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
> from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Danny Mayer]

On 9/21/2018 7:56 AM, Ray Bellis wrote:
> On 21/09/2018 12:47, Danny Mayer wrote:
> 
>> Putting on both my BIND9 and NTP hats for a moment:
>>
>> This answer makes no sense. NTP uses standard DNS FQDN's for all of its
>> references to NTP servers whether it's using pool, server or peer. I
>> have no idea where the reverse zone comes in though I haven't read the
>> whole thread. the NTP service all belong to domains, whether internal or
>> external. There is a DHCP option that we have seen but it seems to cause
>> more confusion that anything.
>>
>> You can create a DNS A or  or even a CNAME in your local DNS that
>> the NTP server can use and it all works.
>>
>> Let me know if I misunderstood what this is really about.
> 
> I believe you have.
> 
> The discussion was about automated _discovery_ of the DNS name of your
> NTP server using an additional level of indirection so that it can be
> automatically configured without using DHCP.

That's easy. Create a FQDN called ntp in your domain and have it be a
set of CNAMES pointing to the ntp servers you want to use. The ntpd pool
option will take care of setting the multiple servers. You don't need
the complexity of SRV records.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Mukund Sivaraman]

Hi Danny

On Fri, Sep 21, 2018 at 07:47:46AM -0400, Danny Mayer wrote:
> You can create a DNS A or  or even a CNAME in your local DNS that
> the NTP server can use and it all works.

The original poster asked "can I publish/query the NTP server through
DNS the same way I can ask who is doing LDAP?"

That implied service discovery / config provisioning, not just
publishing address records of the NTP service in the DNS.

Mukund
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Danny Mayer]

On 9/19/2018 10:12 AM, Andrew Latham wrote:
> You can add SRV records for NTP to your domain if that is what you are
> asking.
> 

NTP doesn't use SRV records and I don't see a use case to do so.
Therefore I have no idea why this would be any benefit. You can add NTP
specific FQDN's as A or  or CNAME records if that would be helpful.

Danny

> On Wed, Sep 19, 2018 at 9:09 AM Mauricio Tavares  > wrote:
> 
> Stupid question: can I publish/query the NTP server through DNS the
> same way I can ask who is doing LDAP?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Ray Bellis]

On 21/09/2018 12:47, Danny Mayer wrote:

> Putting on both my BIND9 and NTP hats for a moment:
> 
> This answer makes no sense. NTP uses standard DNS FQDN's for all of its
> references to NTP servers whether it's using pool, server or peer. I
> have no idea where the reverse zone comes in though I haven't read the
> whole thread. the NTP service all belong to domains, whether internal or
> external. There is a DHCP option that we have seen but it seems to cause
> more confusion that anything.
> 
> You can create a DNS A or  or even a CNAME in your local DNS that
> the NTP server can use and it all works.
> 
> Let me know if I misunderstood what this is really about.

I believe you have.

The discussion was about automated _discovery_ of the DNS name of your
NTP server using an additional level of indirection so that it can be
automatically configured without using DHCP.

Ray
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Danny Mayer]

On 9/19/2018 11:19 AM, Ray Bellis wrote:
> On 19/09/2018 15:59, Mauricio Tavares wrote:
> 
>>> An NTP serice doesn't belong to a domain, so maybe not (I don't know of
>>> one off my mind).
>>>
>>   Not necessarily; I can name a few universities and business who
>> offer their own NTP servers to their internal systems. AFAIK, this is
>> considered good practice.
> 
> That's not the point that Mukund was making.
> 
> An NTP server is part of your local network configuration.   Your domain
> name is also part of your local network configuration.  As such, these
> two values are often served by DHCP.
> 
> That does not mean, though, that there is a one-to-one mapping from your
> domain name to your preferred set of NTP servers.
> 
> One could have numerous subnets located all over the planet with
> different NTP servers, but all sharing the same domain name.
> 
> If it were feasible to store an NTP server address in the DNS it would
> more logically fit in the in-addr.arpa zone, and not in a forward zone.
> 

Putting on both my BIND9 and NTP hats for a moment:

This answer makes no sense. NTP uses standard DNS FQDN's for all of its
references to NTP servers whether it's using pool, server or peer. I
have no idea where the reverse zone comes in though I haven't read the
whole thread. the NTP service all belong to domains, whether internal or
external. There is a DHCP option that we have seen but it seems to cause
more confusion that anything.

You can create a DNS A or  or even a CNAME in your local DNS that
the NTP server can use and it all works.

Let me know if I misunderstood what this is really about.

Danny
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Kevin Darcy]

I'll just toss in the factoid that NTP can be run on multicast or anycast,
which may negate some of the motivation for using a DNS name to access the
service.


   - Kevin

On Wed, Sep 19, 2018 at 11:38 AM Andrew Latham  wrote:

> On Wed, Sep 19, 2018 at 10:19 AM Ray Bellis  wrote:
>
>> On 19/09/2018 15:59, Mauricio Tavares wrote:
>>
>> >> An NTP serice doesn't belong to a domain, so maybe not (I don't know of
>> >> one off my mind).
>> >>
>> >   Not necessarily; I can name a few universities and business who
>> > offer their own NTP servers to their internal systems. AFAIK, this is
>> > considered good practice.
>>
>> That's not the point that Mukund was making.
>>
>> An NTP server is part of your local network configuration.   Your domain
>> name is also part of your local network configuration.  As such, these
>> two values are often served by DHCP.
>>
>> That does not mean, though, that there is a one-to-one mapping from your
>> domain name to your preferred set of NTP servers.
>>
>> One could have numerous subnets located all over the planet with
>> different NTP servers, but all sharing the same domain name.
>>
>> If it were feasible to store an NTP server address in the DNS it would
>> more logically fit in the in-addr.arpa zone, and not in a forward zone.
>>
>
> Many organizations have per site "views" of the zone so it actually works
> out well. There are many ways of building functional infrastructure. I
> agree there are many applications where this setup would not be useful,
> just addressing OP.
>
>
>>
>> Ray
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>>
>
>
> --
> - Andrew "lathama" Latham -
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Andrew Latham]

On Wed, Sep 19, 2018 at 10:19 AM Ray Bellis  wrote:

> On 19/09/2018 15:59, Mauricio Tavares wrote:
>
> >> An NTP serice doesn't belong to a domain, so maybe not (I don't know of
> >> one off my mind).
> >>
> >   Not necessarily; I can name a few universities and business who
> > offer their own NTP servers to their internal systems. AFAIK, this is
> > considered good practice.
>
> That's not the point that Mukund was making.
>
> An NTP server is part of your local network configuration.   Your domain
> name is also part of your local network configuration.  As such, these
> two values are often served by DHCP.
>
> That does not mean, though, that there is a one-to-one mapping from your
> domain name to your preferred set of NTP servers.
>
> One could have numerous subnets located all over the planet with
> different NTP servers, but all sharing the same domain name.
>
> If it were feasible to store an NTP server address in the DNS it would
> more logically fit in the in-addr.arpa zone, and not in a forward zone.
>

Many organizations have per site "views" of the zone so it actually works
out well. There are many ways of building functional infrastructure. I
agree there are many applications where this setup would not be useful,
just addressing OP.


>
> Ray
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Ray Bellis]

On 19/09/2018 15:59, Mauricio Tavares wrote:

>> An NTP serice doesn't belong to a domain, so maybe not (I don't know of
>> one off my mind).
>>
>   Not necessarily; I can name a few universities and business who
> offer their own NTP servers to their internal systems. AFAIK, this is
> considered good practice.

That's not the point that Mukund was making.

An NTP server is part of your local network configuration.   Your domain
name is also part of your local network configuration.  As such, these
two values are often served by DHCP.

That does not mean, though, that there is a one-to-one mapping from your
domain name to your preferred set of NTP servers.

One could have numerous subnets located all over the planet with
different NTP servers, but all sharing the same domain name.

If it were feasible to store an NTP server address in the DNS it would
more logically fit in the in-addr.arpa zone, and not in a forward zone.

Ray
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Mauricio Tavares]

On Wed, Sep 19, 2018 at 11:12 AM, Andrew Latham  wrote:
> Additionally you may route all outbound requests for NTP to a local source
> found from an DNS lookup.
>
> Benefits could be:
> * Control of time sources (correct a hardcoded address that is no longer
> valid)
> * Mitigate attack vectors
> * Mitigate bufferbloat

Wait! There is more!

   * Provide NTP for hosts which cannot reach the outside world
   * Keep Kerberos happy as the NTP server is not far.
>
> DNS is an important piece to this puzzle and SRV records can be useful when
> devices support them. It does not hurt to add the SRV records for common
> services.
>
> On Wed, Sep 19, 2018 at 9:59 AM Mauricio Tavares 
> wrote:
>>
>> On Wed, Sep 19, 2018 at 10:12 AM, Andrew Latham  wrote:
>> > You can add SRV records for NTP to your domain if that is what you are
>> > asking.
>> >
>>   Thanks. I was trying to query for it using dig and then realized
>> I did not know if that is doable.
>>
>> On Wed, Sep 19, 2018 at 10:16 AM, Mukund Sivaraman 
>> wrote:
>> > On Wed, Sep 19, 2018 at 10:08:34AM -0400, Mauricio Tavares wrote:
>> >> Stupid question: can I publish/query the NTP server through DNS the
>> >> same way I can ask who is doing LDAP?
>> >
>> > An NTP serice doesn't belong to a domain, so maybe not (I don't know of
>> > one off my mind).
>> >
>>   Not necessarily; I can name a few universities and business who
>> offer their own NTP servers to their internal systems. AFAIK, this is
>> considered good practice.
>>
>> > For provisioning, there are DHCP options to do this. E.g., with ISC-DHCP
>> > and 10.98.0.5 as the NTP server:
>> >
>> > subnet 10.98.0.0 netmask 255.255.0.0 {
>> >...
>> >option ntp-servers 10.98.0.5;
>> > }
>> >
>> > and perhaps also use "tcode" and "time-offset" options to set the
>> > timezone.
>> >
>> > But a real bummer is that some DHCP clients (e.g., Android phones) do
>> > not make use of this option, and don't even provide a config setting to
>> > do so. IIRC they synchronize time via the cell phone signal.
>> >
>>   Add Windows devices to the list.
>>
>> > Mukund
>> ___
>> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
>> unsubscribe from this list
>>
>> bind-users mailing list
>> bind-users@lists.isc.org
>> https://lists.isc.org/mailman/listinfo/bind-users
>
>
>
> --
> - Andrew "lathama" Latham -
>
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Andrew Latham]

Additionally you may route all outbound requests for NTP to a local source
found from an DNS lookup.

Benefits could be:
* Control of time sources (correct a hardcoded address that is no longer
valid)
* Mitigate attack vectors
* Mitigate bufferbloat

DNS is an important piece to this puzzle and SRV records can be useful when
devices support them. It does not hurt to add the SRV records for common
services.

On Wed, Sep 19, 2018 at 9:59 AM Mauricio Tavares 
wrote:

> On Wed, Sep 19, 2018 at 10:12 AM, Andrew Latham  wrote:
> > You can add SRV records for NTP to your domain if that is what you are
> > asking.
> >
>   Thanks. I was trying to query for it using dig and then realized
> I did not know if that is doable.
>
> On Wed, Sep 19, 2018 at 10:16 AM, Mukund Sivaraman 
> wrote:
> > On Wed, Sep 19, 2018 at 10:08:34AM -0400, Mauricio Tavares wrote:
> >> Stupid question: can I publish/query the NTP server through DNS the
> >> same way I can ask who is doing LDAP?
> >
> > An NTP serice doesn't belong to a domain, so maybe not (I don't know of
> > one off my mind).
> >
>   Not necessarily; I can name a few universities and business who
> offer their own NTP servers to their internal systems. AFAIK, this is
> considered good practice.
>
> > For provisioning, there are DHCP options to do this. E.g., with ISC-DHCP
> > and 10.98.0.5 as the NTP server:
> >
> > subnet 10.98.0.0 netmask 255.255.0.0 {
> >...
> >option ntp-servers 10.98.0.5;
> > }
> >
> > and perhaps also use "tcode" and "time-offset" options to set the
> > timezone.
> >
> > But a real bummer is that some DHCP clients (e.g., Android phones) do
> > not make use of this option, and don't even provide a config setting to
> > do so. IIRC they synchronize time via the cell phone signal.
> >
>   Add Windows devices to the list.
>
> > Mukund
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Mauricio Tavares]

On Wed, Sep 19, 2018 at 10:12 AM, Andrew Latham  wrote:
> You can add SRV records for NTP to your domain if that is what you are
> asking.
>
  Thanks. I was trying to query for it using dig and then realized
I did not know if that is doable.

On Wed, Sep 19, 2018 at 10:16 AM, Mukund Sivaraman  wrote:
> On Wed, Sep 19, 2018 at 10:08:34AM -0400, Mauricio Tavares wrote:
>> Stupid question: can I publish/query the NTP server through DNS the
>> same way I can ask who is doing LDAP?
>
> An NTP serice doesn't belong to a domain, so maybe not (I don't know of
> one off my mind).
>
  Not necessarily; I can name a few universities and business who
offer their own NTP servers to their internal systems. AFAIK, this is
considered good practice.

> For provisioning, there are DHCP options to do this. E.g., with ISC-DHCP
> and 10.98.0.5 as the NTP server:
>
> subnet 10.98.0.0 netmask 255.255.0.0 {
>...
>option ntp-servers 10.98.0.5;
> }
>
> and perhaps also use "tcode" and "time-offset" options to set the
> timezone.
>
> But a real bummer is that some DHCP clients (e.g., Android phones) do
> not make use of this option, and don't even provide a config setting to
> do so. IIRC they synchronize time via the cell phone signal.
>
  Add Windows devices to the list.

> Mukund
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Mukund Sivaraman]

On Wed, Sep 19, 2018 at 10:08:34AM -0400, Mauricio Tavares wrote:
> Stupid question: can I publish/query the NTP server through DNS the
> same way I can ask who is doing LDAP?

An NTP serice doesn't belong to a domain, so maybe not (I don't know of
one off my mind).

For provisioning, there are DHCP options to do this. E.g., with ISC-DHCP
and 10.98.0.5 as the NTP server:

subnet 10.98.0.0 netmask 255.255.0.0 {
   ...
   option ntp-servers 10.98.0.5;
}

and perhaps also use "tcode" and "time-offset" options to set the
timezone.

But a real bummer is that some DHCP clients (e.g., Android phones) do
not make use of this option, and don't even provide a config setting to
do so. IIRC they synchronize time via the cell phone signal.

Mukund
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

Re: NTP through DNS?

[Andrew Latham]

You can add SRV records for NTP to your domain if that is what you are
asking.

On Wed, Sep 19, 2018 at 9:09 AM Mauricio Tavares 
wrote:

> Stupid question: can I publish/query the NTP server through DNS the
> same way I can ask who is doing LDAP?
> ___
> Please visit https://lists.isc.org/mailman/listinfo/bind-users to
> unsubscribe from this list
>
> bind-users mailing list
> bind-users@lists.isc.org
> https://lists.isc.org/mailman/listinfo/bind-users
>


-- 
- Andrew "lathama" Latham -
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users

NTP through DNS?

[Mauricio Tavares]

Stupid question: can I publish/query the NTP server through DNS the
same way I can ask who is doing LDAP?
___
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe 
from this list

bind-users mailing list
bind-users@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users