Hi, I'm currently working with TSIG (RFC 2845) on my project. The idea came to me to use it as a constraint to openntpd. This would solve a paradox on my NUC which does DNS in my apartment. The NUC's BIND uses TSIG to question a forwarder for DNS answers. TSIG relies on time to be correct within a small window (called a fudge). So you see, the HTTPS constraints on the NUC would never work if the time was off (thankfully it has a RTC), because it would not be able to look up the name of the server. It's an endless spiral if not intervened (DNS does not work because of bad time, time does not get updated because of DNS).
I already shared some TSIG work, three years ago, here: https://marc.info/?l=openbsd-tech&m=145656997013119&w=2 And I can probably enhance that to cause a timecheck on the DNS server with TSIG. This would also be able for me to move the BIND closer to the router (currently an octeon without RTC) and possibly have a second nameserver in the local LAN. A TSIG is authenticated and I believe to get past BADKEY and BADSIG messages to get BADTIME replies one has to configure a key. Question is, does OpenBSD have a need for something like that? I can branch off my work that I'm currently doing and spend some time on ntpd. Regards, -peter