On Thu, Mar 12, 2020 at 12:03:10AM +0100, Kurt Roeckx wrote: > On Wed, Mar 11, 2020 at 02:30:11PM -0700, Hal Murray wrote: > > > > Any thoughts about how to get the pool to support it? > > I think that if we want to use NTS with the pool, that we need a > secure way of getting the list of servers. That probably means > either DNSSEC or TLS. Both have their advantages and > disadvantages.
Can we describe them? DNSSEC advantages - smaller load on servers DNSSEC disadvantages - additional complexity for NTS clients - not widely supported (i.e. NTS clients would need to have their own full DNS resolver like libunbound) - not always available (e.g. DNS blocked to Internet and local servers don't support it) TLS advantages - already used by NTS TLS disadvantages - much higher load on servers Anything important missing? One of my suggestions was to specify a NTS-KE redirect where the server wouldn't provide cookies, but a TTL and a list of hostnames and addresses. It would basically be DNS over NTS-KE. Easy to implement on both servers and clients. If the clients were caching the results properly, the load should be a fraction of the NTS-KE load at the NTP servers. Would that make sense for pool.ntp.org? There is a different problem that might need to be addressed first. MITM attackers could circumvent NTS simply by joining the pool. How could that be prevented or minimized? Not accept any new members and trust the old ones they won't do any harm? A year long waiting list for NTS? -- Miroslav Lichvar _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
