Re: [Ntp] Pool and DNS

Leif Johansson <leifj@mnt.se> Tue, 08 November 2022 16:47 UTC

Return-Path: <leifj@mnt.se>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 8C588C152590 for <ntp@ietfa.amsl.com>; Tue, 8 Nov 2022 08:47:42 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -6.904
X-Spam-Level:
X-Spam-Status: No, score=-6.904 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, RCVD_IN_DNSWL_HI=-5, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_HELO_NONE=0.001, SPF_NONE=0.001, T_SCC_BODY_TEXT_LINE=-0.01, URIBL_BLOCKED=0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=ham autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (2048-bit key) header.d=mnt-se.20210112.gappssmtp.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id IB5qfYztNQO8 for <ntp@ietfa.amsl.com>; Tue, 8 Nov 2022 08:47:38 -0800 (PST)
Received: from mail-lf1-x12c.google.com (mail-lf1-x12c.google.com [IPv6:2a00:1450:4864:20::12c]) (using TLSv1.3 with cipher TLS_AES_128_GCM_SHA256 (128/128 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 82837C152592 for <ntp@ietf.org>; Tue, 8 Nov 2022 08:47:22 -0800 (PST)
Received: by mail-lf1-x12c.google.com with SMTP id j16so21986792lfe.12 for <ntp@ietf.org>; Tue, 08 Nov 2022 08:47:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=mnt-se.20210112.gappssmtp.com; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:from:to:cc:subject:date:message-id :reply-to; bh=4ZzfOxHWEQqm1/7zPD7C130DRXWR5sLER2vUrSbkNWc=; b=NsMVcpDgA1jZvPWG+LwpbEl/UskFYEz5kxe3vmhRMpXe3aOA0A0V1V5egybiA+uYqk PJ/aoV1UXHFTuboR6yzjgdtLfP11KwWwVct6ZzFRp8or7z2spduhSG0GHesAfcZmJgLv 0M9etJrKDHjo76fKr8J5ZLtstX+NkhZD442jjNHb4Ul2MD2NiGL/CErdUjmoys+A4wwC mIDoqFgHE9VucGOujfYCZLHwKmSr1VFg4CmmKFmIPJKiXolMYHun7CmgQ/R5WOxROOua 7p+BFB9nFFTDyeiMjuT+RZs5nFvWvBkOk/kDmOjFWq03GEbELo+w7rM8Yuuk/audZOYp IguQ==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=to:in-reply-to:cc:references:message-id:date:subject:mime-version :from:content-transfer-encoding:x-gm-message-state:from:to:cc :subject:date:message-id:reply-to; bh=4ZzfOxHWEQqm1/7zPD7C130DRXWR5sLER2vUrSbkNWc=; b=sDcdVdczhPvNfoDEGXdSHucmHcLLk1f2Lf3SCq9AND4iCItJCUeuv0Ed2GspssMAgl /11GVBRh7CCA+/K6OjQbNtPcACrVSmuSMdGYBBS1RQVJ5RriOheimqsUtKXuLmL8zpRf uM168bYhdy4bVlWWdfwryhfQBvV1OKPwvAZn+FUTR5SUAT1OdGMNyfL+zcQY8jS5cex0 1DY68+I4aCtsNOZwZAo0hfBCfiPKMBNswkSYbPN+3m6dnAQ2bKWWikl8yPGw0D/j3q6Y c/NL01IUcD9HfPIZofITyhAtQlLcwgnbJGNGwfFj5NBaZt5dsuX6Vtc0nXQhjuXNsRh/ 9fbQ==
X-Gm-Message-State: ACrzQf1U+UFf12Uk12c2HI3p66y6u7lWLOK5Ss475Iww9vuSRESnUkhG mcW3ru2TnJoPW6ZBmve7QjviT60njI0C2IXCkmw=
X-Google-Smtp-Source: AMsMyM5YpK6Wo+L1lvNbIERABMWOa/U/xx8OkZC5E3xl8fK3fpPTeJPcBal5S0yAGQum71gVdF50Jw==
X-Received: by 2002:ac2:46fc:0:b0:4b0:4117:3b2c with SMTP id q28-20020ac246fc000000b004b041173b2cmr21401761lfo.376.1667926040539; Tue, 08 Nov 2022 08:47:20 -0800 (PST)
Received: from smtpclient.apple (m83-191-116-195.cust.tele2.se. [83.191.116.195]) by smtp.gmail.com with ESMTPSA id h21-20020a05651c125500b002772b70c1acsm1793434ljh.21.2022.11.08.08.47.19 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 08 Nov 2022 08:47:19 -0800 (PST)
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable
From: Leif Johansson <leifj@mnt.se>
Mime-Version: 1.0 (1.0)
Date: Tue, 08 Nov 2022 16:47:18 +0000
Message-Id: <C1B45EBA-CF06-468D-A366-C1214D171924@mnt.se>
References: <Y2p6bssd2IcPQIF4@localhost>
Cc: Christer Weinigel <christer@weinigel.se>, Hal Murray <halmurray@sonic.net>, ntp@ietf.org
In-Reply-To: <Y2p6bssd2IcPQIF4@localhost>
To: Miroslav Lichvar <mlichvar@redhat.com>
X-Mailer: iPhone Mail (19G71)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/lk7aCt-gvs4KEwFIN_-kpDVsiAM>
Subject: Re: [Ntp] Pool and DNS
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Network Time Protocol <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 08 Nov 2022 16:47:42 -0000

Yeah I suggest looking at how pool DNS is implemented. It is not your standard off-the-shelf nameserver for good reason. Its all on github.

Cheers Leif

> 
> 8 nov. 2022 kl. 15:49 skrev Miroslav Lichvar <mlichvar@redhat.com>:
> 
> On Tue, Nov 08, 2022 at 04:36:03PM +0100, Christer Weinigel wrote:
>> My patch is just a quick proof of concept.  Someone who knows more
>> about the NTPsec code ought to see if I have misunderstood anything. 
>> There a few things I'm already aware of.  The current code will always
>> look for SRV records, it probably should be a flag to ntpsec to turn
>> this behavior on.  One might also want to add a flag to say that for a
>> specific pool NTS must be used to avoid man-in-the-middle-attacks that
>> can downgrade to plain NTP by filtering out the SRV records from DNS. 
>> If the ntp client can store persistent data it might also want to
>> remember "I have successfully used NTS once for this pool, I will not
>> allow plain NTP any more".
>> 
>> Thoughts?
> 
> IIRC this idea was discussed before and the main issue was that it
> relies on DNSSEC, which pool.ntp.org doesn't support and for a client
> on a typical OS it might be difficult to enforce.
> 
> -- 
> Miroslav Lichvar
> 
> _______________________________________________
> ntp mailing list
> ntp@ietf.org
> https://www.ietf.org/mailman/listinfo/ntp