[ntp:questions] Re: restrict lines
brad at stop.mail-abuse.org
Sun Mar 13 14:18:56 UTC 2005
At 12:25 AM -0800 2005-03-13, David Schwartz wrote:
>>> Before I found a man page for ntp.conf, I found several on-line
>>> examples. I thought that using the machine-name.domain-name.tld-name
>>> would be more intelligent, since it would always map to some IP and
>>> the IP could change.
>> Using host names on restrict lines would allow for subversion of the
>> restrictions through DNS cache poisoning.
> But surely that's the fault of whatever DNS server was vulnerable to
> cache poisoning, not the fault of NTP.
My testing indicates that something like 80% of all TLD zones are
vulnerable to DNS cache poisoning. Are you saying that anyone in
those countries, or using servers in those countries, should
automatically be declared to be screwed?
Moreover, once you depend on names for your security, what
happens when the name or IP address changes? Doing that sort of
thing would be totally impossible with pool.ntp.org, since few of the
owners of the machines listed have control over the reverse DNS for
their IP addresses, and they have no control over the monitoring or
load-balancing algorithms that Adrian uses in determining which
server goes into which subdomain of pool.ntp.org.
I'm sorry, the idea of using name-based security for this sort of
thing is just plain ludicrous. If you want security, use good
crypto. That's what it's there for.
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the questions