[ntp:questions] Re: restrict lines

David Schwartz davids at webmaster.com
Mon Mar 14 22:17:34 UTC 2005

"Brad Knowles" <brad at stop.mail-abuse.org> wrote in message 
news:mailman.21.1110723918.576.questions at lists.ntp.isc.org...

> At 12:25 AM -0800 2005-03-13, David Schwartz wrote:

>>>>  Before I found a man page for ntp.conf, I found several on-line
>>>>  examples. I thought that using the machine-name.domain-name.tld-name
>>>>  would be more intelligent, since it would always map to some IP and
>>>>  the IP could change.

>>>  Using host names on restrict lines would allow for subversion of the
>>>  restrictions through DNS cache poisoning.

>>      But surely that's the fault of whatever DNS server was vulnerable to
>>  cache poisoning, not the fault of NTP.

> See <http://www.shub-internet.org/brad/papers/dnscomparison/>. My testing 
> indicates that something like 80% of all TLD zones are vulnerable to DNS 
> cache poisoning.  Are you saying that anyone in those countries, or using 
> servers in those countries, should automatically be declared to be 
> screwed?

    Yes, exactly. You can't fix this problem anywhere but at its source. You 
might as well argue that we should never use domain names in any situation 
with any security implications.

> Moreover, once you depend on names for your security, what happens when 
> the name or IP address changes?  Doing that sort of thing would be totally 
> impossible with pool.ntp.org, since few of the owners of the machines 
> listed have control over the reverse DNS for their IP addresses, and they 
> have no control over the monitoring or load-balancing algorithms that 
> Adrian uses in determining which server goes into which subdomain of 
> pool.ntp.org.

    On the contrary, it's if you depend upon IPs for your security that you 
get into trouble if things change. If you really believed the argument you 
are making, you would have to object to the existence of pool.ntp.org, since 
it does the very thing you are complaining about.

> I'm sorry, the idea of using name-based security for this sort of thing is 
> just plain ludicrous.  If you want security, use good crypto.  That's what 
> it's there for.

    Is it your position that name-based security is worse than no security 
at all? Or would it be your position that NTP should be modified to make it 
impossible to configure it with no security at all?


More information about the questions mailing list