Re: [Ntp] NTS pool support

["Patrik Fältström " <paf@frobbit.se>]

On 22 Jul 2019, at 0:15, Hal Murray wrote:

> If we trust DNS we could use real DNS/SRV records.

There are a few different approaches if one look at DNS:

- SRV

_prefix.domain. SRV port host

- NAPTR

domain. NAPTR service_type port host [sort of]

- URI

_prefix.domain. URI uri

> I'm not a DNS wizard.  I don't know how to setup DNSSEC.

DNSSEC consists of two parts:

1. Have a zone signed. Or in reality, each RRSet (all records of the same type, class and domain name) is signed by adding a signature to it, using asymmetric keys.

2. Have a signed response (i.e. RRSet) validated when it is sent as a response to a query.

Many people mix up the two.

> I'd be happy to use DNS/SRV if we find a DNS wizard who can point to a simple HOWTO type document that tells how to secure DNS.  We may need a separate document for each OS/distro.

Yes and no.

I think we should decide what we build the trust on, and where we se risks. We could say "for this to work, zone with records should be signed, and validation should happen or else the following attack vector exists".

For "how to use DNS", we must refer to DNS material. Like we do with other non-NTP stuff. And how non-NTP people should refer to us.

I do not want to write the "NTS for DNS people" guide :-)

> What's the general status of DNSSEC these days?

Regarding the two functions I talked about above:

- Signed zones is pretty good. Almost all TLDs are signed, which means if you have a domain in a signed TLD you should be able to sign your zone. You can do it automatically for example in Bind or other software, and many DNS providers automatically sign your zone even if you do not ask for it. The trouble is that whenever you have signed your zone, the public key you use for signing must be sent to the registry of the TLD where you have your domain, so that it can be signed and a chain of trust can be built. Not a problem unless you roll your keys.

- Validation is easy to do by "just" turning it on in your resolver. Unbound do it automatically for you for example. If you use your ISP resolver, the result varies. Google open DNS 8.8.8.8 and as far as I know all open DNS resolvers do validate DNSSEC signed responses.

> Is it ready for prime time?

Absolutely!

> Should we be using it to help build critical mass?

DNS people like me think one definitely can build other things like NTS using DNSSEC, given you first have something like rough time as the digital signatures in DNSSEC can be validated :-)

That said, we should write "you must have a DNSSEC chain of trust, or else build an equivalent chain of trust in some other way".

> Or using something else until more OSes/distros have good support?

It's all in there. It is not always deployed because people are lazy. Like IPv6. Similar syndrom. Although DNSSEC can be deployed even if your ISP have not deployed it. IPv6 is hard if you can not get IPv6 transit.

> Is there a simple/portable API to get SRV records?

Only the normal DNS API "one level deeper" than gethostbyname. But not more hard that that. You can still do sync calls, and do not have to deal with async socket stuff.

   Patrik