What's left to doo on NTS
Gary E. Miller
gem at rellim.com
Mon Mar 4 21:28:24 UTC 2019
Yo Hal!
On Mon, 04 Mar 2019 12:58:14 -0800
Hal Murray via devel <devel at ntpsec.org> wrote:
> rlaager at wiktel.com said:
> > CNAMEs don't really help. Certificate validation uses the original
> > name anyway.
>
> I was assuming we could intercept the CNAME and use that for
> certificate validation. Maybe I should have said SRV or TXT or ???
The name in ntp.conf MUST match the name in the cert. Unless you
override it ("noval", pin, etc.).
> The normal getaddrinfo and friends automatically follow CNAMEs.
> Thus my comment about needing some DNS code.
Which opens a big fat back door.
RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
gem at rellim.com Tel:+1 541 382 8588
Veritas liberabit vos. -- Quid est veritas?
"If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190304/c77e029d/attachment.bin>
More information about the devel
mailing list