On Thu, Mar 12, 2020 at 02:23:54AM -0700, Hal Murray wrote: > You said "shorter lived certs" a couple of times. Are you thinking of short > enough to cover temporarily removing servers with bad time from the pool? If > so, that won't work. > > If all goes well, the NTS-KE step is very rare. The client gets 8 cookies. > Each NTP exchange uses a cookie and gets back a new cookie. If an occasional > packet is lost, the client can ask for extras. The NTP side just keeps > running if the server's certificate expires.
I think that's no different from how NTP clients currently work with the pool. If a server is removed from the pool, the clients will use it until it's marked as a falseticker or unreachable. It doesn't matter if it was removed from DNS or its certificate expired. -- Miroslav Lichvar _______________________________________________ pool mailing list [email protected] http://lists.ntp.org/listinfo/pool
