NTS and ipv6

Paul Theodoropoulos paul at anastrophe.com
Thu Jul 25 19:45:06 UTC 2019 

On 7/25/19 12:17, Gary E. Miller wrote:
> Odd, does your kernel not support IPv6? What does your ntp.conf
> look like?
>
> I use NTS with IPv6 just fine.  Try pi4.rellim.com
Yup, supports ipv6, I just normally have it disabled in 
/boot/cmdline.txt - 'ipv6.disable=1'

>> 2019-07-25T12:03:53 ntpd[21436]: NTSc: Using system default root
>> certificates.
>> 2019-07-25T12:03:53 ntpd[21436]: NTS: troubles during init. Bailing.
> Not really clear why it bailed...
Well, it was definitely associated with ipv6 being turned off, that's 
for sure - I just duplicated the config additions on the next 
(identical) device, and identical failure:

before enabling ipv6, full output:

2019-07-25T11:31:02 ntpd[15541]: CLOCK: leapsecond file 
('/var/lib/ntp/leap-seconds.list'): good hash signature
2019-07-25T11:31:02 ntpd[15541]: CLOCK: leapsecond file 
('/var/lib/ntp/leap-seconds.list'): loaded, expire=2019-12-28T00:00Z 
last=2017-01-01T00:00Z ofs=37
2019-07-25T11:31:02 ntpd[15541]: INIT: Using SO_TIMESTAMPNS
2019-07-25T11:31:02 ntpd[15541]: IO: Listen and drop on 0 v4wildcard 
0.0.0.0:123
2019-07-25T11:31:02 ntpd[15541]: IO: Listen normally on 1 lo 127.0.0.1:123
2019-07-25T11:31:02 ntpd[15541]: IO: Listen normally on 2 wlan0 
192.168.1.11:123
2019-07-25T11:31:02 ntpd[15541]: IO: Listening on routing socket on fd 
#19 for interface updates
2019-07-25T11:31:02 ntpd[15541]: SYNC: Found 10 servers, suggest minsane 
at least 3
2019-07-25T11:31:02 ntpd[15541]: INIT: This system has a 32-bit time_t.
2019-07-25T11:31:02 ntpd[15541]: INIT: This ntpd will fail on 
2038-01-19T03:14:07Z.
2019-07-25T11:31:02 ntpd[15541]: NTSs: starting NTS-KE server listening 
on port 123
2019-07-25T11:31:02 ntpd[15541]: NTSs: loaded certificate (chain) from 
/etc/letsencrypt/live/ntpsec.anastrophe.com/fullchain.pem
2019-07-25T11:31:02 ntpd[15541]: NTSs: loaded private key from 
/etc/letsencrypt/live/ntpsec.anastrophe.com/privkey.pem
2019-07-25T11:31:02 ntpd[15541]: NTSs: Private Key OK
2019-07-25T11:31:02 ntpd[15541]: NTSs: OpenSSL security level is 2
2019-07-25T11:31:02 ntpd[15541]: NTSs: listen4 worked
2019-07-25T11:31:02 ntpd[15541]: NTSs: Can't create socket6:
2019-07-25T11:31:02 ntpd[15541]: NTSc: Using system default root 
certificates.
2019-07-25T11:31:02 ntpd[15541]: NTS: troubles during init. Bailing.

after enabling, full output:

2019-07-25T11:32:45 ntpd[687]: CLOCK: leapsecond file 
('/var/lib/ntp/leap-seconds.list'): good hash signature
2019-07-25T11:32:45 ntpd[687]: CLOCK: leapsecond file 
('/var/lib/ntp/leap-seconds.list'): loaded, expire=2019-12-28T00:00Z 
last=2017-01-01T00:00Z ofs=37
2019-07-25T11:32:45 ntpd[687]: INIT: Using SO_TIMESTAMPNS
2019-07-25T11:32:45 ntpd[687]: IO: Listen and drop on 0 v6wildcard [::]:123
2019-07-25T11:32:45 ntpd[687]: IO: Listen and drop on 1 v4wildcard 
0.0.0.0:123
2019-07-25T11:32:45 ntpd[687]: IO: Listen normally on 2 lo 127.0.0.1:123
2019-07-25T11:32:45 ntpd[687]: IO: Listen normally on 3 lo [::1]:123
2019-07-25T11:32:45 ntpd[687]: IO: Listening on routing socket on fd #20 
for interface updates
2019-07-25T11:32:45 ntpd[687]: SYNC: Found 10 servers, suggest minsane 
at least 3
2019-07-25T11:32:45 ntpd[687]: INIT: This system has a 32-bit time_t.
2019-07-25T11:32:45 ntpd[687]: INIT: This ntpd will fail on 
2038-01-19T03:14:07Z.
2019-07-25T11:32:45 ntpd[687]: NTSs: starting NTS-KE server listening on 
port 123
2019-07-25T11:32:45 ntpd[687]: NTSs: loaded certificate (chain) from 
/etc/letsencrypt/live/ntpsec.anastrophe.com/fullchain.pem
2019-07-25T11:32:45 ntpd[687]: NTSs: loaded private key from 
/etc/letsencrypt/live/ntpsec.anastrophe.com/privkey.pem
2019-07-25T11:32:45 ntpd[687]: NTSs: Private Key OK
2019-07-25T11:32:45 ntpd[687]: NTSs: OpenSSL security level is 2
2019-07-25T11:32:45 ntpd[687]: NTSs: listen4 worked
2019-07-25T11:32:45 ntpd[687]: NTSs: listen6 worked
2019-07-25T11:32:45 ntpd[687]: NTSc: Using system default root certificates.
2019-07-25T11:32:54 ntpd[687]: CLOCK: time stepped by 8.221456
2019-07-25T11:32:55 ntpd[687]: IO: Listen normally on 4 wlan0 
192.168.1.11:123
2019-07-25T11:32:55 ntpd[687]: IO: bind(22) AF_INET6 
fe80::ba27:ebff:fe09:ea7b%3#123 flags 0x1 failed: Cannot assign 
requested address
2019-07-25T11:32:55 ntpd[687]: IO: unable to create socket on wlan0 (5) 
for fe80::ba27:ebff:fe09:ea7b%3#123
2019-07-25T11:32:55 ntpd[687]: IO: failed to init interface for address 
fe80::ba27:ebff:fe09:ea7b%3
2019-07-25T11:32:55 ntpd[687]: DNS: dns_probe: ntp2.glypnod.com, 
cast_flags:1, flags:21801
2019-07-25T11:32:55 ntpd[687]: NTSc: DNS lookup of ntp2.glypnod.com took 
0.012 sec
2019-07-25T11:32:55 ntpd[687]: NTSc: nts_probe connecting to 
ntp2.glypnod.com:123 => 178.62.68.79:123
2019-07-25T11:32:55 ntpd[687]: NTSc: set cert host: ntp2.glypnod.com
2019-07-25T11:32:56 ntpd[687]: NTSc: Using TLSv1.3, 
TLS_AES_256_GCM_SHA384 (256)
2019-07-25T11:32:56 ntpd[687]: NTSc: certificate subject name: 
/CN=ntp2.glypnod.com
2019-07-25T11:32:56 ntpd[687]: NTSc: certificate issuer name: 
/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
2019-07-25T11:32:56 ntpd[687]: NTSc: certificate is valid.
2019-07-25T11:32:56 ntpd[687]: NTSc: matched cert host: ntp2.glypnod.com
2019-07-25T11:32:56 ntpd[687]: NTSc: read 880 bytes
2019-07-25T11:32:56 ntpd[687]: NTSc: Got 8 cookies, length 104, aead=15.
2019-07-25T11:32:56 ntpd[687]: NTSc: NTS-KE req to ntp2.glypnod.com took 
0.709 sec, OK
2019-07-25T11:32:56 ntpd[687]: DNS: dns_check: processing 
ntp2.glypnod.com, 1, 21801
2019-07-25T11:32:56 ntpd[687]: DNS: Server taking: 178.62.68.79
2019-07-25T11:32:56 ntpd[687]: DNS: Server poking hole in restrictions 
for: 178.62.68.79
2019-07-25T11:32:56 ntpd[687]: DNS: dns_take_status: 
ntp2.glypnod.com=>good, 0
2019-07-25T11:32:56 ntpd[687]: DNS: dns_probe: ntp1.glypnod.com, 
cast_flags:1, flags:21801
2019-07-25T11:32:56 ntpd[687]: NTSc: DNS lookup of ntp1.glypnod.com took 
0.030 sec
2019-07-25T11:32:56 ntpd[687]: NTSc: nts_probe connecting to 
ntp1.glypnod.com:123 => 104.131.155.175:123
2019-07-25T11:32:56 ntpd[687]: NTSc: set cert host: ntp1.glypnod.com
2019-07-25T11:32:56 ntpd[687]: NTSc: Using TLSv1.3, 
TLS_AES_256_GCM_SHA384 (256)
2019-07-25T11:32:56 ntpd[687]: NTSc: certificate subject name: 
/CN=ntp1.glypnod.com
2019-07-25T11:32:56 ntpd[687]: NTSc: certificate issuer name: 
/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
2019-07-25T11:32:56 ntpd[687]: NTSc: certificate is valid.
2019-07-25T11:32:56 ntpd[687]: NTSc: matched cert host: ntp1.glypnod.com
2019-07-25T11:32:56 ntpd[687]: NTSc: read 880 bytes
2019-07-25T11:32:56 ntpd[687]: NTSc: Got 8 cookies, length 104, aead=15.
2019-07-25T11:32:56 ntpd[687]: NTSc: NTS-KE req to ntp1.glypnod.com took 
0.158 sec, OK
2019-07-25T11:32:56 ntpd[687]: DNS: dns_check: processing 
ntp1.glypnod.com, 1, 21801
2019-07-25T11:32:56 ntpd[687]: DNS: Server taking: 104.131.155.175
2019-07-25T11:32:56 ntpd[687]: DNS: Server poking hole in restrictions 
for: 104.131.155.175
2019-07-25T11:32:56 ntpd[687]: DNS: dns_take_status: 
ntp1.glypnod.com=>good, 0
2019-07-25T11:32:57 ntpd[687]: DNS: dns_probe: pi4.rellim.com, 
cast_flags:1, flags:21801
2019-07-25T11:32:57 ntpd[687]: NTSc: DNS lookup of pi4.rellim.com took 
0.005 sec
2019-07-25T11:32:57 ntpd[687]: NTSc: nts_probe connecting to 
pi4.rellim.com:123 => 204.17.205.24:123
2019-07-25T11:32:57 ntpd[687]: IO: Listen normally on 6 wlan0 
[fe80::ba27:ebff:fe09:ea7b%3]:123
2019-07-25T11:32:57 ntpd[687]: NTSc: set cert host: pi4.rellim.com
2019-07-25T11:32:57 ntpd[687]: NTSc: Using TLSv1.2, AES256-GCM-SHA384 (256)
2019-07-25T11:32:57 ntpd[687]: NTSc: certificate subject name: 
/CN=pi4.rellim.com
2019-07-25T11:32:57 ntpd[687]: NTSc: certificate issuer name: 
/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
2019-07-25T11:32:57 ntpd[687]: NTSc: certificate is valid.
2019-07-25T11:32:57 ntpd[687]: NTSc: matched cert host: pi4.rellim.com
2019-07-25T11:32:57 ntpd[687]: NTSc: read 880 bytes
2019-07-25T11:32:57 ntpd[687]: NTSc: Got 8 cookies, length 104, aead=15.
2019-07-25T11:32:57 ntpd[687]: NTSc: NTS-KE req to pi4.rellim.com took 
0.285 sec, OK
2019-07-25T11:32:57 ntpd[687]: DNS: dns_check: processing 
pi4.rellim.com, 1, 21801
2019-07-25T11:32:57 ntpd[687]: DNS: Server taking: 204.17.205.24
2019-07-25T11:32:57 ntpd[687]: DNS: Server poking hole in restrictions 
for: 204.17.205.24
2019-07-25T11:32:57 ntpd[687]: DNS: dns_take_status: pi4.rellim.com=>good, 0
2019-07-25T11:32:58 ntpd[687]: DNS: dns_probe: ntpmon.dcs1.biz, 
cast_flags:1, flags:21801
2019-07-25T11:32:58 ntpd[687]: NTSc: DNS lookup of ntpmon.dcs1.biz took 
0.006 sec
2019-07-25T11:32:58 ntpd[687]: NTSc: nts_probe connecting to 
ntpmon.dcs1.biz:123 => 203.123.48.219:123
2019-07-25T11:32:58 ntpd[687]: NTSc: set cert host: ntpmon.dcs1.biz
2019-07-25T11:32:59 ntpd[687]: NTSc: Using TLSv1.3, 
TLS_AES_256_GCM_SHA384 (256)
2019-07-25T11:32:59 ntpd[687]: NTSc: certificate subject name: 
/CN=ntpmon.dcs1.biz
2019-07-25T11:32:59 ntpd[687]: NTSc: certificate issuer name: 
/C=US/O=Let's Encrypt/CN=Let's Encrypt Authority X3
2019-07-25T11:32:59 ntpd[687]: NTSc: certificate is valid.
2019-07-25T11:32:59 ntpd[687]: NTSc: matched cert host: ntpmon.dcs1.biz
2019-07-25T11:32:59 ntpd[687]: NTSc: read 880 bytes
2019-07-25T11:32:59 ntpd[687]: NTSc: Got 8 cookies, length 104, aead=15.
2019-07-25T11:32:59 ntpd[687]: NTSc: NTS-KE req to ntpmon.dcs1.biz took 
0.844 sec, OK
2019-07-25T11:32:59 ntpd[687]: DNS: dns_check: processing 
ntpmon.dcs1.biz, 1, 21801
2019-07-25T11:32:59 ntpd[687]: DNS: Server taking: 203.123.48.219
2019-07-25T11:32:59 ntpd[687]: DNS: Server poking hole in restrictions 
for: 203.123.48.219
2019-07-25T11:32:59 ntpd[687]: DNS: dns_take_status: 
ntpmon.dcs1.biz=>good, 0
2019-07-25T11:32:59 ntpd[687]: DNS: dns_probe: clock.fmt.he.net, 
cast_flags:1, flags:20901
2019-07-25T11:32:59 ntpd[687]: DNS: dns_check: processing 
clock.fmt.he.net, 1, 20901
2019-07-25T11:32:59 ntpd[687]: DNS: Server taking: 66.220.9.122
2019-07-25T11:32:59 ntpd[687]: DNS: Server poking hole in restrictions 
for: 66.220.9.122
2019-07-25T11:32:59 ntpd[687]: DNS: dns_take_status: 
clock.fmt.he.net=>good, 0
2019-07-25T11:33:00 ntpd[687]: DNS: dns_probe: ntp.pts0.net, 
cast_flags:1, flags:20901
2019-07-25T11:33:00 ntpd[687]: DNS: dns_check: processing ntp.pts0.net, 
1, 20901
2019-07-25T11:33:00 ntpd[687]: DNS: Server taking: 76.14.161.109
2019-07-25T11:33:00 ntpd[687]: DNS: Server poking hole in restrictions 
for: 76.14.161.109
2019-07-25T11:33:00 ntpd[687]: DNS: dns_take_status: ntp.pts0.net=>good, 0
2019-07-25T11:33:01 ntpd[687]: DNS: dns_probe: ntp1.net.berkeley.edu, 
cast_flags:1, flags:20901
2019-07-25T11:33:01 ntpd[687]: DNS: dns_check: processing 
ntp1.net.berkeley.edu, 1, 20901
2019-07-25T11:33:01 ntpd[687]: DNS: Server taking: 169.229.128.134
2019-07-25T11:33:01 ntpd[687]: DNS: Server poking hole in restrictions 
for: 169.229.128.134
2019-07-25T11:33:01 ntpd[687]: DNS: dns_take_status: 
ntp1.net.berkeley.edu=>good, 0
2019-07-25T11:33:02 ntpd[687]: DNS: dns_probe: stratum-1.sjc02.svwh.net, 
cast_flags:1, flags:20901
2019-07-25T11:33:02 ntpd[687]: DNS: dns_check: processing 
stratum-1.sjc02.svwh.net, 1, 20901
2019-07-25T11:33:02 ntpd[687]: DNS: Server taking: 162.213.2.253
2019-07-25T11:33:02 ntpd[687]: DNS: Server poking hole in restrictions 
for: 162.213.2.253
2019-07-25T11:33:02 ntpd[687]: DNS: dns_take_status: 
stratum-1.sjc02.svwh.net=>good, 0
2019-07-25T11:33:03 ntpd[687]: DNS: dns_probe: a-ntpsec, cast_flags:1, 
flags:20901
2019-07-25T11:33:03 ntpd[687]: DNS: dns_check: processing a-ntpsec, 1, 20901
2019-07-25T11:33:03 ntpd[687]: DNS: Server taking: 192.168.1.10
2019-07-25T11:33:03 ntpd[687]: DNS: dns_take_status: a-ntpsec=>good, 0


As you can see, it continued initialization, even though an ipv6 address 
wasn't actually assigned. So it's really only the inability to listen on 
the socket, not necessarily fully functioning ipv6.

> Why would you ever turn off IPv6????
That's where the discussion would diverge and digress into details not 
explicitly relevant to the NTS implementation...


-- 
Paul Theodoropoulos
www.anastrophe.com

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://lists.ntpsec.org/pipermail/users/attachments/20190725/da93abcf/attachment-0001.htm>

More information about the users mailing list