[ntp:questions] Re: handling of falsetickers with dumb NTP clients

Brad Knowles brad.knowles at skynet.be
Sun Sep 14 15:54:29 UTC 2003


At 2:07 AM +0000 2003/09/12, David L. Mills wrote:

>                                         In other painful words, time and
>  security are inseparable in themselves, but must be separable from name
>  resolution. The purist cannot turn up bind unless NTP has synchronized
>  the clock.

	BIND (and name resolution in general) only needs an accurate 
value for time if you're using DNSSEC.  Otherwise, coarse relative 
values (within a second or so, monotonically increasing) are 
sufficient.  And even that's only necessary for servers that are 
acting as caching/recursive resolvers -- authoritative-only servers 
only need to compare the SOA serial number as a generic 32-bit 
quantity and see whether or not A is greater than B.

	In the case of NTP, we are fortunate that we can bootstrap this 
process by providing IP addresses in the ntp.conf file, which allows 
us to start up before name resolution is working.


	However, we should probably give some thought as to a two-phase 
startup process whereby we might delay trying to sync with servers 
that are specified by name, until such time as name resolution is 
working, while proceeding with time sync with servers that are 
specified by IP address.

	Once name resolution is working again, we could then restart the 
early parts of the sync process with the servers that are now 
presumably available, if that was deemed to be necessary or useful.

-- 
Brad Knowles, <brad.knowles at skynet.be>

"They that can give up essential liberty to obtain a little temporary
safety deserve neither liberty nor safety."
     -Benjamin Franklin, Historical Review of Pennsylvania.

GCS/IT d+(-) s:+(++)>: a C++(+++)$ UMBSHI++++$ P+>++ L+ !E-(---) W+++(--) N+
!w--- O- M++ V PS++(+++) PE- Y+(++) PGP>+++ t+(+++) 5++(+++) X++(+++) R+(+++)
tv+(+++) b+(++++) DI+(++++) D+(++) G+(++++) e++>++++ h--- r---(+++)* z(+++)



More information about the questions mailing list