IETF Logo Mail Archive

Re: [Ntp] Circular dependencies

Danny Mayer <mayer@ntp.org> Thu, 12 November 2020 00:31 UTC

Return-Path: <mayer@ntp.org>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2EBAE3A1263 for <ntp@ietfa.amsl.com>; Wed, 11 Nov 2020 16:31:40 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.226
X-Spam-Level:
X-Spam-Status: No, score=-1.226 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, NICE_REPLY_A=-0.001, SPF_SOFTFAIL=0.665, T_SPF_HELO_TEMPERROR=0.01] autolearn=no autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ybZwt46RpGgm for <ntp@ietfa.amsl.com>; Wed, 11 Nov 2020 16:31:36 -0800 (PST)
Received: from chessie.everett.org (chessie.everett.org [66.220.13.234]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 3CA743A1262 for <ntp@ietf.org>; Wed, 11 Nov 2020 16:31:36 -0800 (PST)
Received: from l34097ous.fios-router.home.rpega.com (unknown [38.111.236.48]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256) (No client certificate requested) by chessie.everett.org (Postfix) with ESMTPSA id 4CWjFt5PqFzMNB3; Thu, 12 Nov 2020 00:31:30 +0000 (UTC)
To: Watson Ladd <watsonbladd@gmail.com>, NTP WG <ntp@ietf.org>
References: <CACsn0c=Xu31KyHu8+uq+fKBMVRt+YaJGZCfSn2ph1WXfm2atHw@mail.gmail.com>
From: Danny Mayer <mayer@ntp.org>
Message-ID: <f0c3e18d-39ba-9042-1f2f-89749ca80412@ntp.org>
Date: Wed, 11 Nov 2020 19:31:22 -0500
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.15; rv:78.0) Gecko/20100101 Thunderbird/78.4.1
MIME-Version: 1.0
In-Reply-To: <CACsn0c=Xu31KyHu8+uq+fKBMVRt+YaJGZCfSn2ph1WXfm2atHw@mail.gmail.com>
Content-Type: text/plain; charset="utf-8"; format="flowed"
Content-Transfer-Encoding: 7bit
Content-Language: en-US
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/44bXpLbzc2O7RZEAPQ9nk3pN5-8>
Subject: Re: [Ntp] Circular dependencies
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Thu, 12 Nov 2020 00:31:40 -0000

On 11/11/20 12:21 PM, Watson Ladd wrote:
> Dear NTP WG,
>
> I just realized there is a mailing list bug report that's a lot more
> interesting than it seems. They have a DNSSEC validating resolver and
> were using an NTP daemon to set the clock (and the RTC was busted) But
> the time is needed to verify liveness of the signatures for DNSSEC to
> validate, and without the names don't resolve, including the NTP
> server names.
>
> This is probably a bigger issue with NTS, as certs with IP addresses
> are harder to get. Roughtime can use its own keys, but does still rely
> on the DNS often, so it won't necessarily be a solution. Any ideas?
>
> Sincerely,
> Watson Ladd

This is not new and has been an issue for years. This is the reason why 
Autokey was developed which avoided the certificate issues with 
timestamps. This is unrelated to the problems with the Autokey protocol. 
The second part of this is if you look up IP addresses in NTP and those 
are DNSSEC protected then DNSSEC assumes that they are using accurate 
time when checking the certificates. There's no easy solution.

Danny

v2.23.0 | Report a Bug | By Email