Fwd: Future directions

Hal Murray hmurray at megapathdsl.net
Tue Sep 17 00:37:31 UTC 2019


> - a multicast DNS broadcaster for NTS.
> - additions to the DNS code to allow non-A/AAAA pools. (cname/srv probably)
> - Additions to the DNS code to allow for mdns monitoring. 

I'm not a DNS wizard.  That area is slightly ugly in that the DNS work is done 
in a separate thread so there is some work to get to/from that thread.  But 
that code exists and once inside that thread you can do whatever is needed.

There are restrictions on DNS for NTS.  You start with a text string from a 
config file.  You need to turn that into an IP Address and then the host at 
that address has to have a certificate that matches that text.  That is all 
straightforward if the text is a host name.  I don't see how multicast helps.  
cnames are no problem as long as the host you contact has a certificate that 
matches the initial text/name.  If you want to do anything more complicated, 
then you are dragging DNS into the NTS security model.  That seems like a good 
area to avoid.


> - replace mode6 with a tcp service. (it was only IIRC in v2-3 RFCs)
> - - or work on the auth code for ntpq a bit.

The current mode6 has 2 levels of auth.  There is a simple cookie handshake to 
make sure you are not responding to a forged IP Address.  Then there is a 
password to enable writing.  I think that password is sent in the clear.  
restrict gets tangled up in here.  I'd have to check the details.  I'd be 
happy to fix the password in the clear.

TCP drags in a pile of complications.  You have to limit the number of 
connections and then worry about bad guys tying them up.  We already have 
those problems with the NTS-KE servers.

Using TLS rather than raw TCP seems like the way to go.  The mode6 TLS server 
could use UDP to talk to the old mode6 ntpd server.

I never use ntpq to write anything so none of that is high on my list.


> Given the increase in threading would it be possible to shove smb auth into a
> thread? 

Possible?  Sure.  But not worth much effort unless we find an interested user.



-- 
These are my opinions.  I hate spam.





More information about the devel mailing list