[ntp:hackers] A stop-gap authenticated time service

Harlan Stenn stenn at ntp.org
Mon Nov 16 02:50:54 UTC 2015

Terje Mathisen writes:
> Hal Murray wrote:
>>> (This obviously requires pool.ntp.org to support DNSSEC!)
>> I think DNSSEC requires time.  Is anybody who understands this area
>> willing to explain it to me/us?
> DNSSEC does require time, at (approximately?) the same accuracy as 
> Kerberos, i.e. 5 min.

Certificates are good for a period of time.

> This means two things:
> a) Secure NTP servers cannot use DNSSEC services to pick up all their 
> sources, they must have at least one source which is a local refclock or 
> IP only, alternatively you fall back on DNS only and leave an opening 
> for an attacker to MITM you.

Yes, and there are other scenarios as well.

This goes to "monitor your ntpd instances".

> b) DNSSEC servers likewise needs to have at least one local 
> (refclock/IP-only) NTP reference in order to be able to verify their 
> local clocks before they can serve authenticated data.

See above, and also think about what should happen when the time is

> > Does the full blown HTTPS stuff depend upon knowing the time?
> Obviously not, with the widely varying times phk is seeing, but in order 
> for the server certificate to be valid, the server time has at least to 
> be somewhere within the validity period for said certificate, and 
> keeping the clock at least approximately correct is a requirement for 
> any server which runs Kerberos for local authentication, which is 
> probably a very significant subset.

Certainly for Windows environments that use AD.
Harlan Stenn <stenn at ntp.org>
http://networktimefoundation.org - be a member!

More information about the hackers mailing list