NTS not 'working', likely operator error
Hal Murray
halmurray at sonic.net
Tue Apr 9 05:53:42 UTC 2024
> What I'm wondering now is if there is some fubar in the way I have things
> set up wrt the certificate(s). I make the NTP service available as
> ntpsec.anastrophe.com, but the NTS service tied to nts.anastrophe.com for
> the cert. Perhaps this is creating a mismatch of sorts, though since the
> source host/IP is the same either way, I would think not. I'll take a quick
> poke at that avenue.
It does a DNS lookup on the name you give it on the server line, then opens a
TCP/TLS connection to that server. It uses that name as part of the
certificate checking. That handshake includes an optional IP Address to use.
It defaults to the same as used to talk to the KE server. [You could run the
KE server on a different machine. We don't support that.]
There is a clump of logging on the client side. It ends up with something
like this:
1 Jan 01:14:01 ntpd[258884]: DNS: Server taking: 178.62.68.79
1 Jan 01:14:01 ntpd[258884]: DNS: dns_take_status: ntp2.glypnod.com=>good, 0
The "good" is what to look for. If it doesn't work, there should be a similar
message with "error" instead of "good".
>From your first message:
NTS client sends: 48
NTS client recvs good: 0
NTS client recvs w error: 0
That says it sent out 48 requests using NTS. It didn't get any answers back,
good or bad.
--
These are my opinions. I hate spam.
More information about the users
mailing list