On Mon, Mar 4, 2019 at 4:28 PM Gary E. Miller via devel
<devel@ntpsec.org> wrote:
> The name in ntp.conf MUST match the name in the cert. Unless you
> override it ("noval", pin, etc.).
>
> > The normal getaddrinfo and friends automatically follow CNAMEs.
> > Thus my comment about needing some DNS code.
>
> Which opens a big fat back door.
Whatever CNAMEs the DNS hands you, you should follow; the default
behavior of getaddrinfo is fine. Just match the name in the cert
against what's in ntp.conf and not against anything else.
_______________________________________________
devel mailing list
devel@ntpsec.org
http://lists.ntpsec.org/mailman/listinfo/devel
