On Mon, Sep 10, 2012 at 06:18:42PM +0200, Nico Golde wrote: > Hi, > * Ask Bjørn Hansen <a...@ntppool.org> [2012-09-10 18:03]: > > On Sep 10, 2012, at 8:13, Nico Golde <n...@debian.org> wrote: > > [Adding NTP authentication] > > > > We could setup a set of servers with authentication, but that'd be a much > > smaller list of servers (for better and worse). It wouldn't be like the > > current NTP Pool at all. > > > > Next would be to add DNSSEC to the DNS (which is non-trivial with the > > current zone and the current resources; at peaks the DNS servers get 20-30k > > qps and each response is different so you have to sign in "real-time".). > > > > If there's a need and resources, I could run a zone with DNSSEC and with > > autokey configured, but it'd not be possible in the "open source"/"everyone > > volunteers a resource or two" scheme. > > Wouldn't it still make sense to have a zone configured with autokey even > without DNSSEC? Or is an active attacker bombarding the victim with faked NTP > responses without spoofed DNS not an issue at all, so all this matters *only* > if DNS is spoofed?
Autokey does several things, the most important of those is to authenticate the peer your're talking too. I don't see DNSSEC adding anything useful if autokey is used, unless we also want to distribute the public keys via DNS. Kurt -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org