[Ntp] Pool and DNS
Hal Murray <halmurray@sonic.net> Wed, 19 October 2022 04:42 UTC
Return-Path: <halmurray@sonic.net>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 2E5EAC152569 for <ntp@ietfa.amsl.com>; Tue, 18 Oct 2022 21:42:42 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.91
X-Spam-Level:
X-Spam-Status: No, score=-6.91 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_DNSWL_HI=-5, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id ZC0-07vqM916 for <ntp@ietfa.amsl.com>; Tue, 18 Oct 2022 21:42:39 -0700 (PDT)
Received: from d.mail.sonic.net (d.mail.sonic.net [64.142.111.50]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id E42A6C1524C4 for <ntp@ietf.org>; Tue, 18 Oct 2022 21:42:39 -0700 (PDT)
Received: from 107-137-68-211.lightspeed.sntcca.sbcglobal.net (99-4-120-220.lightspeed.sntcca.sbcglobal.net [99.4.120.220]) (authenticated bits=0) by d.mail.sonic.net (8.16.1/8.16.1) with ESMTPSA id 29J4gbWS009020 (version=TLSv1.2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128 verify=NOT); Tue, 18 Oct 2022 21:42:37 -0700
Received: from hgm (localhost [IPv6:::1]) by 107-137-68-211.lightspeed.sntcca.sbcglobal.net (Postfix) with ESMTP id 8DE2C28C1DB; Tue, 18 Oct 2022 21:42:37 -0700 (PDT)
X-Mailer: exmh version 2.9.0 11/07/2018 with nmh-1.7.1
To: Neta R S <neta.r.schiff@gmail.com>
cc: Hal Murray <halmurray@sonic.net>, ntp@ietf.org
From: Hal Murray <halmurray@sonic.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Date: Tue, 18 Oct 2022 21:42:37 -0700
Message-Id: <20221019044237.8DE2C28C1DB@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
X-Sonic-CAuth: UmFuZG9tSVYtJc5L7G9oEpBlHEl5smlH4iHg7KyQ0YVfCkPojqBbG+wxTq0M/xGIgjLk2/FhkmyCP90aLrWL7yyxIXB116Zk
X-Sonic-ID: C;hncEdWhP7RGLe7NMP63e0g== M;JsoWdWhP7RGLe7NMP63e0g==
X-Sonic-Spam-Details: -1.5/5.0 by cerberusd
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/SeCnRAzhdd6dHNQLorFhiTvSGqs>
Subject: [Ntp] Pool and DNS
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 19 Oct 2022 04:42:42 -0000
> Around 250 DNS queries are required by Khronos to obtain a pool of 1000 NTP > servers, which is equal to the number of queries performed by NTPv4 in a > duration of 10 days (assuming a query per hour). Where did that "a query per hour" come from? It's not wildly wrong and I don't have a better number. But I worry that somebody will assume it is a solid data point and use it in some future line of reasoning. -------- My reading is that pool traffic is bimodal. ntpd makes a few DNS requests on startup then uses those servers for a long time. sntp makes a DNS request every time it is run. You can see that by watching the traffic on a server in the pool when you disable it by setting the traffic rate to monitor-only. The traffic drops abruptly by X%, then slowly decays. "Slowly" is ballpark of 10% per day. X is ballpark of 60%. (I didn't get decent data because I only figured out what was going on after I had already messed things up. Next time...) ---------- The main problem with DNS and the pool is that there is currently no clean way to remove a server from the pool. If you remove it from the pool, the sntp traffic will vanish since it will get removed from future DNS answers. But the ntpd traffic will continue to use existing servers as long as ntpd keeps running and the servers keep responding. There is no way to ask if a server is still in the pool. If there was, ntpd should check every day or week or ... That would add more DNS traffic from the long running ntpd servers. Khronos would add much more. ---------- The more interesting question is NTS. The NTS-KE step is fairly heavyweight, much more work than a DNS lookup. The current parameters are 8 cookies with a lifetime of a day. A day is 86400 seconds. That means we need to poll each server every 10800 seconds. With 1000 servers and M=15 (from the draft) that will take a Khronos poll every (10800/1000)*15 => 162 seconds. If Khronos runs at 10x the poll time of ntpd, that's not going to work. We could gain a factor of 2 or 3 by dropping cookies older than a day. (and asking for several more to fill up again when we do poll a server) Of course, NTS doesn't work with the pool and I don't see how to fix that, so this is all a wild goose chase. Maybe we should be comparing Khronos with 1 or 2 trusted servers using NTS. -- These are my opinions. I hate spam.
- [Ntp] Pool and DNS Hal Murray
- [Ntp] Antw: [EXT] Pool and DNS Ulrich Windl
- Re: [Ntp] Pool and DNS Marcus Dansarie
- Re: [Ntp] [EXT] Pool and DNS Neta R S
- Re: [Ntp] [EXT] Pool and DNS David Venhoek
- Re: [Ntp] [EXT] Pool and DNS Neta R S
- Re: [Ntp] Pool and DNS Hal Murray
- [Ntp] Antw: [EXT] Re: Pool and DNS Ulrich Windl
- Re: [Ntp] Pool and DNS Miroslav Lichvar
- Re: [Ntp] Pool and DNS Christer Weinigel
- Re: [Ntp] Pool and DNS Christer Weinigel
- Re: [Ntp] Pool and DNS Miroslav Lichvar
- Re: [Ntp] Pool and DNS Leif Johansson