NTS update

Gary E. Miller gem at rellim.com
Thu Mar 21 01:06:28 UTC 2019 

Yo Hal!

On Wed, 20 Mar 2019 17:30:11 -0700
Hal Murray via devel <devel at ntpsec.org> wrote:

> > Uh, no.  You can get easily get the FQDN from the IP.  
> 
> That adds DNS to the security chain.  Doesn't sound good to me.  It
> might work if you are using DNSSEC.  Complicated.

I am using DNSSEC.

> > Also, since there is no way to specify IPv4 or IPv6, the only way I
> > can make this work is by IP.
> > You need to add a option to force IPv4 or IPv6.   
> 
> There is a -4 and -6 option to the server command.  I don't think I
> check that yet.  Should be easy to fix, but it will have to wait
> until late tonight.

Ah, there it is right on the man page.  I can't try it until the
crash bug is gone.

> If you want a quick hack fix, in ntpd/nts_client.c, change the
>   hints.ai_family = AF_UNSPEC;
> to
>   hints.ai_family = AF_INET;  or AF_INET6
> That will get all of the NTS-KE connections on that system.

Which is not useful.

> > So how about you try to connect to one of them?  
> 
>      remote           refid      st t when poll reach   delay
> offset   jitter
> ===============================================================================
> -kong.rellim.com 204.17.205.17    2 8   11   64  373  55.0190
> 1.1430   3.7460 -spidey.rellim.c 204.17.205.17    2 8   18   64  373
> 55.2070   1.0170   1.2171 -glypnod4        192.168.1.33     2 8
> 9   64  377   0.3929  -0.0821   0.0187
> -shuksan         .PPS.            1 u    3   64  377   0.2266
> 0.0779   0.0478 +mon             192.168.1.33     2 u   12   64
> 377   0.3805   0.0496   0.0622 -tom             .PPS.            1
> u    8   64  377   0.4343   0.0137   0.0473 ...
> 
> Looks good from here.  Note the 8 in the t column.

Odd, I tried it yet again, and this time it works.

I have the 8 in the "t" column.

I'll keep an eye on it.  Something odd...

I added nts-ke to: pi3.rellim.com, see how that works for you.

I have 3 NTS-KE working now.  There is extra jitter, and the clients
refuse to lock onto the NTS-KE servers.  They are rejected from the main
cluster.  Maybe it will settle down, time will tell.

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190320/e99e2448/attachment.bin>

More information about the devel mailing list