Yo Daniel! On Mon, 4 Mar 2019 16:32:33 -0500 Daniel Franke <dfoxfra...@gmail.com> wrote:
> On Mon, Mar 4, 2019 at 4:28 PM Gary E. Miller via devel
> <devel@ntpsec.org> wrote:
> > The name in ntp.conf MUST match the name in the cert. Unless you
> > override it ("noval", pin, etc.).
> >
> > > The normal getaddrinfo and friends automatically follow CNAMEs.
> > > Thus my comment about needing some DNS code.
> >
> > Which opens a big fat back door.
>
> Whatever CNAMEs the DNS hands you, you should follow; the default
> behavior of getaddrinfo is fine. Just match the name in the cert
> against what's in ntp.conf and not against anything else.
+1
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
g...@rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
pgpuoJefgrXgq.pgp
Description: OpenPGP digital signature
_______________________________________________ devel mailing list devel@ntpsec.org http://lists.ntpsec.org/mailman/listinfo/devel
