Re: [Ntp] NTS pool support

"Patrik Fältström " <paf@frobbit.se> Sun, 21 July 2019 07:29 UTC

Return-Path: <paf@frobbit.se>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 5CF0C1200F6 for <ntp@ietfa.amsl.com>; Sun, 21 Jul 2019 00:29:00 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -2.699
X-Spam-Level:
X-Spam-Status: No, score=-2.699 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FROM_EXCESS_BASE64=0.001, RCVD_IN_DNSWL_LOW=-0.7, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=frobbit.se
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id s5F5dljKS0bH for <ntp@ietfa.amsl.com>; Sun, 21 Jul 2019 00:28:58 -0700 (PDT)
Received: from mail.frobbit.se (mail.frobbit.se [IPv6:2a02:80:3ffe::176]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 482731200E7 for <ntp@ietf.org>; Sun, 21 Jul 2019 00:28:57 -0700 (PDT)
Received: from [192.165.72.198] (unknown [IPv6:2a02:80:3ffc:0:5ee:b8ff:c70d:d98a]) by mail.frobbit.se (Postfix) with ESMTPSA id 21483273D9; Sun, 21 Jul 2019 09:28:54 +0200 (CEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=frobbit.se; s=mail; t=1563694134; bh=T8wBadVD5Gn3It0fg6nSWc7R7uUTc0Y8lueLrJoUee4=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=WTIWdaw0KX6o2UajE7PvM6O5CX/vLSb4A/HzS4ZEVN+HezoHbOlNfUZN+lXpcB5K6 Q6qqBgWyRUdlyRdjC1GN6B14FB0K7aUE/mlAp09UwVlAeBcAIxIrFdh/jhSxTIbm1/ wZoI/9ImySeyzlFvAuqawI9batFaK36ByiG8TvHU=
From: "Patrik =?utf-8?b?RsOkbHRzdHLDtm0=?=" <paf@frobbit.se>
To: "Ask =?utf-8?q?Bj=C3=B8rn?= Hansen" <ask@develooper.com>
Cc: "Christer Weinigel" <christer@weinigel.se>, ntp@ietf.org
Date: Sun, 21 Jul 2019 09:28:53 +0200
X-Mailer: MailMate (1.12.5r5635)
Message-ID: <D8DF9BEE-7AE0-48D2-9A7F-B98D4F19147B@frobbit.se>
In-Reply-To: <17C0BC71-F9A8-4839-B593-0AF18967F5B6@develooper.com>
References: <3cd8c65b-a37c-863e-ea2c-2de0a5aeee96@weinigel.se> <17C0BC71-F9A8-4839-B593-0AF18967F5B6@develooper.com>
MIME-Version: 1.0
Content-Type: multipart/signed; boundary="=_MailMate_04244A40-75A2-4403-8CD3-9E49E8C5D11E_="; micalg=pgp-sha1; protocol="application/pgp-signature"
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/PEZA1zKAd11Ms-tjTCb2sXSMmis>
Subject: Re: [Ntp] NTS pool support
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jul 2019 07:29:00 -0000

On 21 Jul 2019, at 5:18, Ask Bjørn Hansen wrote:

>> On Jul 20, 2019, at 1:37 PM, Christer Weinigel <christer@weinigel.se>; wrote:
>>
>> The best thing about DNS SRV records is that the target (host) is a
>> fully qualified domain name, which means that when the NTS client
>> connects to the NTSKE server it will match the name that's present in
>> the TLS certificate for the server.  This means that the administrator
>> of the pool does not have to manage the TLS certificates and private
>> keys, that's up to whoever manages each NTSKE server.
>
>
> In this scenario, for the client to know that the server behind the SRV record are trusted by the pool system, it will have to either do end-to-end DNSSEC (and the pool DNS has to support it),

DNSSEC do not really work that way. But close :-)

You must trust whoever is doing the validation. You extrapolate that to you having to do the validation, but that builds upon you not trusting (for example) the access provider that runs the recursive resolver for you also do the validation.

> or the CA used for the server need to be explicitly tied to the pool configuration. If not then your ISP can easily hi-jack the service in a way that’s not possible with “regular NTS”. Or maybe I am missing something. :-)

I think Christers idea is good(*), as it collapses to "if you trust your DNS, then you can use SRV". This irrespectively of whether DNSSEC is in use or not.

That trust can be built by either just trusting DNS, trust the validating recursive resolver run by a third party, or you run your own validating resolver on ::1.

Saying SRV can not be used because you do not trust DNS is not working, as we have other issues with NTS if we do not trust DNS. NTP Pools rely on us trusting the DNS as the pool is built in DNS as the database.

   Patrik