Features I'd like to add to NTPsec
James Browning
jamesb192 at jamesb192.com
Sun Mar 22 18:29:20 UTC 2026
== Server flag to automatically remove it when bad.
> server -4 time.cloudflare.com nts preempt
The intent here is to remove a peer[1] if it's bad for some reason.
This needs a server flag exposed.
I have a merge request for this somewhere.
[1] added via 'server'
== Handle NTS pool correctly
> pool 0.ke.experimental.ntspooltest.org iburst nts
Currently, that only spins up a single server. It should instead
spin up two per round, until enough peers are available.
This will need some work in
ntp_proto.c:dns_take_{pool, server},
nts_client.c:nts_{check, probe}, and ntp_dns.c
== Handle DNS service records [2]
> pool _ntske._tcp.ke.experimental.ntspooltest.org iburst nts srv
> sever _ntske._tcp.jamesb192.com burst nts srv
Eventually, the above should spin up some NTS servers from service
records; this will involve some work in ntp_dns.c and related areas.
[2] Two developers have a branch at:
https://github.com/pendulum-project/pool-ntpsec/tree/srv-client
I do not care for it much.
== Add server filter via DNSsec record check
> server -6 time.cloudflare.com nts dnssec 3 iburst
Soon, we should support three levels of DNSSEC validation:
- reject invalid signatures
- recheck them once after BUILD_EPOCH
- only accept valid signatures.
== Add support for mdns/zeroconf, probably in addition to the above.
> pool -4 _ntp._udp.local mdns srv iburst
This is unlikely to happen anytime soon.
More information about the devel
mailing list