[ntp:hackers] A stop-gap authenticated time service

Terje Mathisen terje at tmsw.no
Mon Nov 16 01:59:03 UTC 2015

Hal Murray wrote:
>> (This obviously requires pool.ntp.org to support DNSSEC!)
> I think DNSSEC requires time.  Is anybody who understands this area willing
> to explain it to me/us?
DNSSEC does require time, at (approximately?) the same accuracy as 
Kerberos, i.e. 5 min.

This means two things:

a) Secure NTP servers cannot use DNSSEC services to pick up all their 
sources, they must have at least one source which is a local refclock or 
IP only, alternatively you fall back on DNS only and leave an opening 
for an attacker to MITM you.

b) DNSSEC servers likewise needs to have at least one local 
(refclock/IP-only) NTP reference in order to be able to verify their 
local clocks before they can serve authenticated data.
> Does the full blown HTTPS stuff depend upon knowing the time?
Obviously not, with the widely varying times phk is seeing, but in order 
for the server certificate to be valid, the server time has at least to 
be somewhere within the validity period for said certificate, and 
keeping the clock at least approximately correct is a requirement for 
any server which runs Kerberos for local authentication, which is 
probably a very significant subset.


- <Terje at tmsw.no>
"almost all programming can be viewed as an exercise in caching"

More information about the hackers mailing list