[ntp:hackers] Re: NTP and leap-seconds

Paul Vixie paul at vix.com
Sat Jul 8 01:56:24 UTC 2006

> Is there any hope of using TSIG/RFC2845 or more simply the root zone
> servers to distribute leap second tables from authenticated publishing
> authorities? Such leap second tables would be updated/changed less
> frequently or about the same as the root zone if I understand things.

if you encoded the leap-second tables into dns format (hopefully not by
using a TXT RR but i understand that that's how these things are usually
done) and built a lightweight dns protocol agent (most likely based on
bind9's excellent libraries and not on the bind8-eventlib thing i've been
hawking here lately), then yes, this could be done.  and it's likely that
most of the iana-recognized root name server operators would serve the
content since it has an obvious universal public benefit.  the difficulty
would be in describing iana's role in importing the leap second tables
from time authorities and putting it into dns format.  you'd need to write
an rfc that specified a new iana administrative duty, which is a rare thing
but if you asked ed lewis (as an example; he wrote the last one) for help
it could be done.

however, ntp's usual way to do this would be very different.  you'd set up
an X.509 trust chain to authenticate data that was fetched using some kind
of UDP from some name like leaps.ntp.org.  if "some kind of UDP" is not
suitable then you'd just use https.

the real questions, if you went that way, would be "should ntp agents
download the full table, or just ask for the next leap-second?" and "how
often should ntp agents poll for changes, in case new leap seconds are
inserted?"  dns would not help you avoid the second question, and it would
wire down a possibly undesirable answer to the first.

More information about the hackers mailing list