Catching up

Hal Murray halmurray at sonic.net
Sat Jul 30 09:18:12 UTC 2022


It's also testing the list mail system.  As far as I know, that hasn't been 
fixed.

There are 2 interesting areas worthy of attention.

--------

The first is #707, NTPv1 traffic dropped in 1.2.1
  https://gitlab.com/NTPsec/ntpsec/-/issues/707
(We should have fixed this ages ago.)

I have a partial fix that I'll push soon -- basically reverting the change 
that broke things.

But it's more complicated than that.  I took a look at some traffic to a pool 
server.  There are 3 different versions of NTPv1 traffic.  I/we have no way to 
test this area since we don't know what sort of filtering (if any) the client 
code is doing.

This brings up another can of worms.  How long are we expected to support 
NTPv1?

----------

The second area is a simple merge request to disable DNSSEC for ntpd.
  https://gitlab.com/NTPsec/ntpsec/-/merge_requests/1283

DNSSEC has time-must-be-close-enough requirements, just like NTS needs the 
clock to be close enough when checking certificates.

Again, things are complicated.  I'm working on a README-STARTING to collect 
idea about getting started.  I think the basic issue is do we want:
  ntpd to work most of the time but maybe insecurely
or
  ntpd to work securely but maybe never get started
The first is the way that ntpd worked before NTS or DNSSEC.  You could fixup 
your broken battery backed clock by running ntpd.  Some users expect that.


-- 
These are my opinions.  I hate spam.





More information about the devel mailing list