Hi, * Ask Bjørn Hansen <a...@ntppool.org> [2012-09-10 18:03]: > On Sep 10, 2012, at 8:13, Nico Golde <n...@debian.org> wrote: > [Adding NTP authentication] > > We could setup a set of servers with authentication, but that'd be a much > smaller list of servers (for better and worse). It wouldn't be like the > current NTP Pool at all. > > Next would be to add DNSSEC to the DNS (which is non-trivial with the > current zone and the current resources; at peaks the DNS servers get 20-30k > qps and each response is different so you have to sign in "real-time".). > > If there's a need and resources, I could run a zone with DNSSEC and with > autokey configured, but it'd not be possible in the "open source"/"everyone > volunteers a resource or two" scheme.
Wouldn't it still make sense to have a zone configured with autokey even without DNSSEC? Or is an active attacker bombarding the victim with faked NTP responses without spoofed DNS not an issue at all, so all this matters *only* if DNS is spoofed? Kind regards Nico P.S: I'm all but an NTP expert :) -- Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0xA0A0AAAA
pgpK8YFLPvxan.pgp
Description: PGP signature
