Re: [Ntp] Pool and DNS
Christer Weinigel <christer@weinigel.se> Tue, 08 November 2022 14:39 UTC
Return-Path: <christer@weinigel.se>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8DAE8C1522DC for <ntp@ietfa.amsl.com>; Tue, 8 Nov 2022 06:39:31 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.907
X-Spam-Level:
X-Spam-Status: No, score=-1.907 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id WSiDh-lmryCh for <ntp@ietfa.amsl.com>; Tue, 8 Nov 2022 06:39:27 -0800 (PST)
Received: from www.weinigel.se (www.weinigel.se [IPv6:2605:2700:0:2::4713:9e68]) by ietfa.amsl.com (Postfix) with ESMTP id 20477C1522DA for <ntp@ietf.org>; Tue, 8 Nov 2022 06:39:21 -0800 (PST)
Received: from mail.weinigel.se (localhost [IPv6:::1]) by www.weinigel.se (Postfix) with ESMTP id B709F24902; Tue, 8 Nov 2022 15:39:20 +0100 (CET)
Received: from localhost (localhost [127.0.0.1]) by zoo.weinigel.se (Postfix) with ESMTP id 521C6405C9; Tue, 8 Nov 2022 14:39:20 +0000 (UTC)
Received: from mail.weinigel.se ([127.0.0.1]) by localhost (mail.weinigel.se [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id iSRiEA6J8bJP; Tue, 8 Nov 2022 14:39:18 +0000 (UTC)
Received: from [127.0.0.1] (zoo.lab.weinigel.se [10.20.3.10]) by zoo.weinigel.se (Postfix) with ESMTP id 80C184046A; Tue, 8 Nov 2022 14:39:18 +0000 (UTC)
Message-ID: <fbd8d4d4b0e3afebbdca16c52121898870c0b5ee.camel@weinigel.se>
From: Christer Weinigel <christer@weinigel.se>
To: Hal Murray <halmurray@sonic.net>, ntp@ietf.org
Date: Tue, 08 Nov 2022 15:39:18 +0100
In-Reply-To: <20221023053430.6022728C1DB@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
References: <20221023053430.6022728C1DB@107-137-68-211.lightspeed.sntcca.sbcglobal.net>
Content-Type: text/plain; charset="UTF-8"
User-Agent: Evolution 3.38.3-1
MIME-Version: 1.0
Content-Transfer-Encoding: 8bit
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/dyxPLxyyuwOJv5_Nw0GUxMyK1oE>
Subject: Re: [Ntp] Pool and DNS
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2022 14:39:31 -0000
On Sat, 2022-10-22 at 22:34 -0700, Hal Murray wrote: > One day seemed like a reasonable number. > > RFC 8915, section 6, Suggested Format for NTS Cookies, says: > Servers should periodically (e.g., once daily) generate a new > pair '(I,K)' and immediately switch to using these values for > all newly-generated cookies. > > So one day is what I used in NTPsec. (and my thinking) Same here. Netnod's NTS servers rotate their server keys once per day. > It's easy to save a few old keys. We should probably agree on some > lifetime. > > I'd be happy with 5 or 10. 365 seems unreasonable. Netnod's servers keep track of four keys, the current one which it uses to generate new cookies and three more keys which it will still be able to use to decrypt old cookies. > > NTPsec packages the KE server with ntpd so there is no need for that > protocol. > I don't know of any split implementations. So as a practical > matter, it > would be hard to put together a pool using that mechanism with > available code. Netnod's servers use a split implementation. The NTS-KE server runs on a PC and the NTS timestamping is done in a FPGA (inside an Arista 7130 switch). Actually we have two redundant sets of servers which share the same set of keys, so if you use the NTS-KE server at sth1.nts.netnod.se it will generate cookies which work with the NTS timestapming server found at sth2-ts.nts.netnod.se. /Christer
- [Ntp] Pool and DNS Hal Murray
- [Ntp] Antw: [EXT] Pool and DNS Ulrich Windl
- Re: [Ntp] Pool and DNS Marcus Dansarie
- Re: [Ntp] [EXT] Pool and DNS Neta R S
- Re: [Ntp] [EXT] Pool and DNS David Venhoek
- Re: [Ntp] [EXT] Pool and DNS Neta R S
- Re: [Ntp] Pool and DNS Hal Murray
- [Ntp] Antw: [EXT] Re: Pool and DNS Ulrich Windl
- Re: [Ntp] Pool and DNS Miroslav Lichvar
- Re: [Ntp] Pool and DNS Christer Weinigel
- Re: [Ntp] Pool and DNS Christer Weinigel
- Re: [Ntp] Pool and DNS Miroslav Lichvar
- Re: [Ntp] Pool and DNS Leif Johansson