ntp.conf changes for NTS
Richard Laager
rlaager at wiktel.com
Wed Jan 30 22:59:28 UTC 2019
On 1/30/19 2:37 PM, Gary E. Miller via devel wrote:
> Sure there is, we now have a choice that did not formerly exist, and I
> can see uses for both:
>
> 1. If we do not get desired server: fail
> 2. If we do not get desired server: use the offered one instead
>
> #2 is new to NTS.
>
> For an unattended server, I would want #2. For testing, or a closely
> watched server, I would want #1.
There's another complication too. The server can send back a name or an
IP address. What happens if the client request contains a name and the
server's response contains an IP? That might be a match (e.g. if the
client performs an A/AAAA lookup for the name it requested, it gets back
that IP in the response) or it might not.
I wonder if a pool server might do this. You ask for
"us.nts.pool.ntp.org" and it gives you back a particular IP to connect
to. In that case, you'd want to follow the referral.
I think it would be useful to understand the use case(s) for the client
requesting a specific server vs the use case(s) for a user configuring
the client to request a specific server.
Or, you can punt this all to the user by offering both choices:
nts nts-ke.example.org
^^ Accepts whatever is returned.
nts nts-ke.example.org ask ntpd.example.org
^^ Sends an explicit request. Accepts whatever is returned.
nts nts-ke.example.org require ntpd.example.org
^^ Sends an explicit request. If not mirrored back exactly, stop.
Here's another wrinkle. Does the first example, "nts
nts-ke.example.org", send a request for "nts-ke.example.org"? I think it
should.
--
Richard
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 488 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190130/a5bdef6e/attachment.bin>
More information about the devel
mailing list