[ntp:hackers] A stop-gap authenticated time service
hmurray at megapathdsl.net
Mon Nov 16 02:15:30 UTC 2015
terje at tmsw.no said:
> a) Secure NTP servers cannot use DNSSEC services to pick up all their
> sources, they must have at least one source which is a local refclock or IP
> only, alternatively you fall back on DNS only and leave an opening for an
> attacker to MITM you.
> b) DNSSEC servers likewise needs to have at least one local (refclock/
> IP-only) NTP reference in order to be able to verify their local clocks
> before they can serve authenticated data.
Is that only a startup transient? Does it all work once it gets started?
Would setting the time from an operator's watch at boot time be good enough?
These are my opinions. I hate spam.
More information about the hackers