[Pool] Valid pool server checks
oh2kku at iki.fi
Mon Apr 6 15:21:01 UTC 2015
On 1.4.2015 23:50, Harlan Stenn wrote:
>> I think that both would get fixed if ntpd occasionally did another DNS
>> lookup for each server it is using and switched to a new address if
>> the address it is using isn't one of the addresses returned.
> That's the bigger-scope TTL issue. But that will not directly address
> the issue of "is the pool server I am currently using still listed as
> being "valid".
This could be done by adding a reverse zone into pool.ntp.org that
includes all valid pool server ip addresses. If you just query forward
pool.ntp.org, depending on from where and when you ask, you will get a
bit different set of ip addresses returned. They probably won't contain
the same servers you got a while before that.
Something like the smtp blackhole lists use could work for the reverse
zone. Include an entry if the server is valid in the pool, like:
ipv4: 126.96.36.199.rev4.pool.ntp.org. in a 127.0.0.1
ipv6: 1.2.3....8.b.d.0.1.0.0.2.rev6.pool.ntp.org in a 127.0.0.1
You would probably want to use a pretty long TTL and query interval for
these (a day or two?), to keep the number of DNS queries at bay.
There are many ways to organize and use these values. There also seems
to be an RFC on DNS black/whitelists: http://tools.ietf.org/html/rfc5782
One possible downside to having these in the DNS is the possibility for
enumerating the list of valid pool servers by "walking" the v4 reverse
zone, only 4 billion addresses to try... I don't know if that's a problem.
More information about the pool