-4 and -6 should work with nts

Gary E. Miller gem at rellim.com
Thu Mar 21 20:03:29 UTC 2019 

Yo Hal!

On Thu, 21 Mar 2019 12:32:20 -0700
Hal Murray via devel <devel at ntpsec.org> wrote:

> > Hmm, I've got issues.  Would be nice if ntpmon showed the IPv4/ipv6
> > status.  
> 
> That's not a NTS issue.  (Yes, it would be nice if we could improve
> it, but not high on my list.)

True, but I need something to help me debug NTS.

> You might be able to get what you want if the reverse DNS has a 4/6
> in the name.  I'm not a wizard in this area.

Which breaks Lets Encrypt.  Not gonna do that.

> > I added this to kong.rellim.com:
> > server pi3.rellim.com nts -4 maxpoll 5 
> > server pi3.rellim.com nts -6 maxpoll 5  
> 
> I think the -4 and -6 go between the "server" and host name.  Please
> check the log files for an error message.

I just sent you my logs.

Putting the -4 or -6 before nts totally breaks nts.

Bummer this is order dependent...

New log, with the -4/-6 and nts swapped, attached.

> > TLS 1.2 only, TCP port 123.  They will go up and down frequently.  
> 
> TLS 1.3 now available on ntp1.glypnod.com (San Francisco) and
> ntp2.glypnod.com (London).

Sort of.  I added this to kong:

server ntp1.glypnod.com nts

No TLS 1.3:

2019-03-21T13:00:21 ntpd[26975]: DNS: dns_probe: ntp1.glypnod.com, cast_flags:1, flags
:21801
2019-03-21T13:00:22 ntpd[26975]: NTSc: DNS lookup of ntp1.glypnod.com took 0.846 sec
2019-03-21T13:00:22 ntpd[26975]: NTSc: nts_probe connecting to ntp1.glypnod.com:ntp => [2604:a880:1:20::17:5001]:123
2019-03-21T13:00:22 ntpd[26975]: NTSc: Using TLSv1.2, ECDHE-RSA-AES256-GCM-SHA384 (256)
2019-03-21T13:00:22 ntpd[26975]: NTSc: certificate subject name: /CN=ntp1.glypnod.com
2019-03-21T13:00:22 ntpd[26975]: NTSc: certificate issuer name: /C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
2019-03-21T13:00:22 ntpd[26975]: NTSc: certificate is valid.
2019-03-21T13:00:22 ntpd[26975]: NTSc: read 880 bytes
2019-03-21T13:00:22 ntpd[26975]: NTSc: Got 8 cookies, length 104, aead=15.
2019-03-21T13:00:22 ntpd[26975]: NTSc: NTS-KE req to ntp1.glypnod.com took 1.009 sec, OK
2019-03-21T13:00:22 ntpd[26975]: DNS: dns_check: processing ntp1.glypnod.com, 1, 21801
2019-03-21T13:00:22 ntpd[26975]: DNS: Server taking: 2604:a880:1:20::17:5001
2019-03-21T13:00:22 ntpd[26975]: DNS: Server poking hole in restrictions for: 2604:a880:1:20::17:5001
2019-03-21T13:00:22 ntpd[26975]: DNS: dns_take_status: ntp1.glypnod.com=>good, 0
2019-03-21T13:00:22 ntpd[26975]: PROTO: 2604:a880:1:20::17:5001 a014 84 reachable

Don't I need OpenSSL Version 1.1.1 for TLS 1.3?

RGDS
GARY
---------------------------------------------------------------------------
Gary E. Miller Rellim 109 NW Wilmington Ave., Suite E, Bend, OR 97703
	gem at rellim.com  Tel:+1 541 382 8588

	    Veritas liberabit vos. -- Quid est veritas?
    "If you can’t measure it, you can’t improve it." - Lord Kelvin
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ntp.log
Type: text/x-log
Size: 730278 bytes
Desc: not available
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190321/05cab011/attachment-0002.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 851 bytes
Desc: OpenPGP digital signature
URL: <https://lists.ntpsec.org/pipermail/devel/attachments/20190321/05cab011/attachment-0003.bin>

More information about the devel mailing list