[ntp:hackers] A stop-gap authenticated time service

Hal Murray hmurray at megapathdsl.net
Mon Nov 16 02:15:30 UTC 2015


terje at tmsw.no said:
> a) Secure NTP servers cannot use DNSSEC services to pick up all their
> sources, they must have at least one source which is a local refclock or  IP
> only, alternatively you fall back on DNS only and leave an opening  for an
> attacker to MITM you.

> b) DNSSEC servers likewise needs to have at least one local  (refclock/
> IP-only) NTP reference in order to be able to verify their  local clocks
> before they can serve authenticated data. 

Is that only a startup transient?  Does it all work once it gets started?

Would setting the time from an operator's watch at boot time be good enough?

These are my opinions.  I hate spam.

More information about the hackers mailing list