[Pool] Valid pool server checks

Tapio Sokura oh2kku at iki.fi
Mon Apr 6 15:21:01 UTC 2015


Hello,

On 1.4.2015 23:50, Harlan Stenn wrote:
>> I think that both would get fixed if ntpd occasionally did another DNS
>> lookup for each server it is using and switched to a new address if
>> the address it is using isn't one of the addresses returned.
>
> That's the bigger-scope TTL issue.  But that will not directly address
> the issue of "is the pool server I am currently using still listed as
> being "valid".

This could be done by adding a reverse zone into pool.ntp.org that 
includes all valid pool server ip addresses. If you just query forward 
pool.ntp.org, depending on from where and when you ask, you will get a 
bit different set of ip addresses returned. They probably won't contain 
the same servers you got a while before that.

Something like the smtp blackhole lists use could work for the reverse 
zone. Include an entry if the server is valid in the pool, like:

ipv4: 1.2.0.192.rev4.pool.ntp.org. in a 127.0.0.1
ipv6: 1.2.3....8.b.d.0.1.0.0.2.rev6.pool.ntp.org in a 127.0.0.1

You would probably want to use a pretty long TTL and query interval for 
these (a day or two?), to keep the number of DNS queries at bay.

There are many ways to organize and use these values. There also seems 
to be an RFC on DNS black/whitelists: http://tools.ietf.org/html/rfc5782

One possible downside to having these in the DNS is the possibility for 
enumerating the list of valid pool servers by "walking" the v4 reverse 
zone, only 4 billion addresses to try... I don't know if that's a problem.

   Tapio


More information about the pool mailing list