On Mon, May 04, 2020 at 04:44:00PM +, Zbigniew Jędrzejewski-Szmek wrote:
> Aside: the PEERNTP option seems to be very weakly documented. After
> some searching I found [1, 2] and [3]. Some up-to-date documentation would
> be necessary if users are expected to configure this.
Ok. I filed bug #1
Hi,
sorry for thread necromancy...
On Wed, Apr 08, 2020 at 10:42:09AM +0200, Miroslav Lichvar wrote:
> What I meant, if someone for example had at home a stratum 1 server
> (e.g. synchronized to GPS) and they trusted everything and everyone in
> their local network, it would make sense to still u
On Thu, Apr 09, 2020 at 02:08:46PM -0500, Brandon Nielsen wrote:
> Additionally, the 'nts' option for 'server' and 'pool' directives, to me,
> does not make it immediately clear that NTS will be required for _all_ NTP
> servers. To me, that option implies that NTS will be enforced for that
> partic
On 4/9/20 11:06 AM, Miroslav Lichvar wrote:
On Wed, Apr 08, 2020 at 02:09:01PM -0500, Brandon Nielsen wrote:
On 4/8/20 3:42 AM, Miroslav Lichvar wrote:
What is the issue with using untrusted DNS servers here? An NTS client
is supposed to verify the certificates. Local MITM attackers shouldn't
b
On 4/9/20 10:42 AM, Björn Persson wrote:
[snip]
Fedora's defaults should be chosen to keep users reasonably secure every
way we can. If you as a sysadmin trust the DHCP server and every other
device on the local network – including any device that may be connected
in the future – then you should
On Wed, Apr 08, 2020 at 02:09:01PM -0500, Brandon Nielsen wrote:
> On 4/8/20 3:42 AM, Miroslav Lichvar wrote:
> > What is the issue with using untrusted DNS servers here? An NTS client
> > is supposed to verify the certificates. Local MITM attackers shouldn't
> > be able to force the client to sync
Brandon Nielsen wrote:
> If the DNS servers provided by DHCP are trusted, why
> would any plain NTP servers also provided by DHCP not be trusted? I can
> do nefarious things with either.
For DNS the solution is to not trust the DHCP-provided resolvers but
validate DNSsec locally. A valid chain o
On 4/8/20 3:42 AM, Miroslav Lichvar wrote:
On Tue, Apr 07, 2020 at 01:41:48PM -0500, Brandon Nielsen wrote:
It doesn't make much sense to me for this to default to on if we still
"trust" the DNS servers provided over DHCP.
What is the issue with using untrusted DNS servers here? An NTS client
On Tue, Apr 07, 2020 at 01:41:48PM -0500, Brandon Nielsen wrote:
> It doesn't make much sense to me for this to default to on if we still
> "trust" the DNS servers provided over DHCP.
What is the issue with using untrusted DNS servers here? An NTS client
is supposed to verify the certificates. Loc
On Tue, Apr 07, 2020 at 01:41:48PM -0500, Brandon Nielsen wrote:
> On 4/6/20 4:08 PM, Ben Cotton wrote:
> > [snip]
> >
> >
>
> It doesn't make much sense to me for this to default to on if we still
> "trust" the DNS servers provided over DHCP. Additionally, it's not clear to
> me from the propos
On 4/6/20 4:08 PM, Ben Cotton wrote:
[snip]
It doesn't make much sense to me for this to default to on if we still
"trust" the DNS servers provided over DHCP. Additionally, it's not clear
to me from the proposal what it would take for an NTP server provided
over DHCP to be "trusted", or wh
https://fedoraproject.org/wiki/Changes/NetworkTimeSecurity
== Summary ==
Support for the Network Time Security (NTS) authentication mechanism
in the NTP client/server (chrony) and installer (anaconda).
== Owner ==
* Name: [[User:mlichvar| Miroslav Lichvar]], [[User:mkolman| Martin Kolman]]
* Ema
12 matches
Mail list logo