Re: [Ntp] NTS pool support

Ask Bjørn Hansen <ask@develooper.com> Sun, 21 July 2019 03:19 UTC

Return-Path: <ask@develooper.com>
X-Original-To: ntp@ietfa.amsl.com
Delivered-To: ntp@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id C364C1200B3 for <ntp@ietfa.amsl.com>; Sat, 20 Jul 2019 20:19:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.899
X-Spam-Level:
X-Spam-Status: No, score=-1.899 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, HTML_MESSAGE=0.001, RCVD_IN_DNSWL_NONE=-0.0001, SPF_HELO_NONE=0.001, SPF_PASS=-0.001] autolearn=ham autolearn_force=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id Olc1MN1pEsIA for <ntp@ietfa.amsl.com>; Sat, 20 Jul 2019 20:19:10 -0700 (PDT)
Received: from mx-out1.ewr1.develooper.com (mx-out1.ewr1.develooper.com [139.178.64.59]) by ietfa.amsl.com (Postfix) with ESMTP id 621F612006A for <ntp@ietf.org>; Sat, 20 Jul 2019 20:19:10 -0700 (PDT)
Received: from mbox1.develooper.com (unknown [147.75.38.211]) (using TLSv1 with cipher ADH-AES256-SHA (256/256 bits)) (No client certificate requested) by mx-out1.ewr1.develooper.com (Postfix) with ESMTPS id 930656E049F for <ntp@ietf.org>; Sun, 21 Jul 2019 03:19:09 +0000 (UTC)
Received: from mbox1.develooper.com (mbox1.develooper.com [127.0.0.1]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by mbox1.develooper.com (Postfix) with ESMTPS id 56B821760B2 for <ntp@ietf.org>; Sat, 20 Jul 2019 20:19:09 -0700 (PDT)
Received: (qmail 5183 invoked from network); 21 Jul 2019 03:19:09 -0000
Received: from c-98-248-50-174.hsd1.ca.comcast.net (HELO ?10.0.200.100?) (ask@mail.dev@98.248.50.174) by smtp.develooper.com with ESMTPA; 21 Jul 2019 03:19:09 -0000
From: =?utf-8?Q?Ask_Bj=C3=B8rn_Hansen?= <ask@develooper.com>
Message-Id: <17C0BC71-F9A8-4839-B593-0AF18967F5B6@develooper.com>
Content-Type: multipart/alternative; boundary="Apple-Mail=_97F4C73C-E427-498D-A811-CF9FB446C2AD"
Mime-Version: 1.0 (Mac OS X Mail 12.4 \(3445.104.11\))
Date: Sat, 20 Jul 2019 20:18:57 -0700
In-Reply-To: <3cd8c65b-a37c-863e-ea2c-2de0a5aeee96@weinigel.se>
Cc: ntp@ietf.org
To: Christer Weinigel <christer@weinigel.se>
References: <3cd8c65b-a37c-863e-ea2c-2de0a5aeee96@weinigel.se>
X-Mailer: Apple Mail (2.3445.104.11)
Archived-At: <https://mailarchive.ietf.org/arch/msg/ntp/xjHyp0FrRA5CAGsTZKOJRoJRjgw>
Subject: Re: [Ntp] NTS pool support
X-BeenThere: ntp@ietf.org
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: <ntp.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ntp>, <mailto:ntp-request@ietf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/ntp/>
List-Post: <mailto:ntp@ietf.org>
List-Help: <mailto:ntp-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ntp>, <mailto:ntp-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sun, 21 Jul 2019 03:19:12 -0000


> On Jul 20, 2019, at 1:37 PM, Christer Weinigel <christer@weinigel.se>; wrote:
> 
> The best thing about DNS SRV records is that the target (host) is a
> fully qualified domain name, which means that when the NTS client
> connects to the NTSKE server it will match the name that's present in
> the TLS certificate for the server.  This means that the administrator
> of the pool does not have to manage the TLS certificates and private
> keys, that's up to whoever manages each NTSKE server.


In this scenario, for the client to know that the server behind the SRV record are trusted by the pool system, it will have to either do end-to-end DNSSEC (and the pool DNS has to support it), or the CA used for the server need to be explicitly tied to the pool configuration. If not then your ISP can easily hi-jack the service in a way that’s not possible with “regular NTS”. Or maybe I am missing something. :-)


Ask