[ntp:questions] Re: restrict lines

Brad Knowles brad at stop.mail-abuse.org
Sun Mar 13 14:18:56 UTC 2005


At 12:25 AM -0800 2005-03-13, David Schwartz wrote:

>>>  Before I found a man page for ntp.conf, I found several on-line
>>>  examples. I thought that using the machine-name.domain-name.tld-name
>>>  would be more intelligent, since it would always map to some IP and
>>>  the IP could change.
>
>>  Using host names on restrict lines would allow for subversion of the
>>  restrictions through DNS cache poisoning.
>
>      But surely that's the fault of whatever DNS server was vulnerable to
>  cache poisoning, not the fault of NTP.

	See <http://www.shub-internet.org/brad/papers/dnscomparison/>. 
My testing indicates that something like 80% of all TLD zones are 
vulnerable to DNS cache poisoning.  Are you saying that anyone in 
those countries, or using servers in those countries, should 
automatically be declared to be screwed?

	Moreover, once you depend on names for your security, what 
happens when the name or IP address changes?  Doing that sort of 
thing would be totally impossible with pool.ntp.org, since few of the 
owners of the machines listed have control over the reverse DNS for 
their IP addresses, and they have no control over the monitoring or 
load-balancing algorithms that Adrian uses in determining which 
server goes into which subdomain of pool.ntp.org.


	I'm sorry, the idea of using name-based security for this sort of 
thing is just plain ludicrous.  If you want security, use good 
crypto.  That's what it's there for.

-- 
Brad Knowles, <brad at stop.mail-abuse.org>

"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."

     -- Benjamin Franklin (1706-1790), reply of the Pennsylvania
     Assembly to the Governor, November 11, 1755

   SAGE member since 1995.  See <http://www.sage.org/> for more info.



More information about the questions mailing list