Assign Domain Name for NTS working

Guys,
Since i’m not an IT wizard i’m struggling to understand the steps to take to get me from plain-old IPv6 address on my home connection to a domain name assigned to this address and eventually get NTS working.

So, ofcourse i know the IPv6 address i want to use and the domain name is also registered, but:

  • How do i get a TLS certificate?
  • How do i get to point the domain name to the IPv6 address?
  • Where do i have to inject the TLS certificate? Is that in the router or the timeserver behind the router or both?
  • Domain name is not registered with the same company that provides my internet connection or timeserver. Do i need to change DNS record of the domain?

Getting seriously in over my head, so it seems.

Thanks,

You may want to read Secure NTP with NTS - Fedora Magazine for background.

You can use any valid TLS certificate. I got mine for free from Let’s Encrypt, but such free certificates need to be renewed every few months. Fortunately the renewal can be automated.

As for the domain name and IPv6 address, you will need to add an AAAA record to your domain name’s DNS settings, pointing to your server.

The TLS certificate is configured in chrony.conf with the ntsserverkey and ntsservercert directives.

It does not matter if the domain’s registrar and your internet service provider are not the same. Yes, at some point you will need to adjust the DNS records of your domain.

Let’s encrypt offer free certificates, and there’s various tools how you can request one. A typical one is certbot, which is available with common Linux distributions (often older versions, but that should not matter much to get a basic certificate).

You need to register once, possible through the tool, then request a certificate for the respective domain. There is a validation step involved where you need to prove that you control the domain. You can use an existing webserver, or configure special DNS entries. Or the aforementioned certbot has a simple built-in web server that can be spun up temporarily just for this purpose.

Let’s encrypt and certbot also support automatic renewal. E.g., on Debian, you just need to add the name of your certificate in a pre-arranged place, and things should go smoothly from there. This is relevant since those certificates for security reasons are valid for 90 days only. Currently mostly for such free certificates, but some browser vendors are pushing for limiting the validity of certificates in general, with other parties currently still pushing back successfully, but it may come eventually.

Probably to be configured somewhere in the administration area of the place where you got the name.

In the timeserver. There’s options where NTP server and NTS functionality can reside in separate entities, but the basic configuration is to have both in one. chronyd and NTPsec both support NTS, just look at their documentation how to configure it. You need to point it to the certificate, the certificate chain, and the private key that were all generated as part of the certificate issuance process. certbot will let you know where to find them when it was successful in getting a certificate.

On the router side, you just need to configure pinholing for the various protocol/port combinations involved, i.e., NTP (already open I assume), NTS, and the temporary webserver.

Not sure I understand, but having those separate is no problem for forward records, i.e., pointing from name to IP address (probably with your registrar, as mentioned above). Reverse is another matter, i.e., pointing from the address to the name. That can only be done via your ISP, because they “own” the IP address and the corresponding reverse record (so-called PTR). But a reverse record is usually not needed (unlesss, e.g., you want to run a mailserver), though obviously nice to have.

IPv6 address is simple, just open port 123UDP to your IPv6 machine in the router.

It will give the IPv6 address in the router or the server itself.

Then set an AAAA record in your DNS-records at your DNS provider.

Nothing more to it.

It doesn’t matter where your domain is registered or where your DNS-entries are done.

It works the same as IPv4 at the domain-level, just not A record but AAAA.

Great! I have adjusted the DNS record of the domain provider and now its pointing to my IPv6 server.
How do I assign multiple subdomains (like ntp0.yyyy.com and ntp1.yyyy.com) to the same DNS record?

You would need to create an AAAA record for ntp0 and ntp1 within your DNS setup. How exactly this is done depends on your DNS provider.

Well, ntp0.xxxxx to AAAA IPv6-adres and npt1.xxxxx to AAAA second address.

Or do you mean a round-robin of using 1 name to point to several IP’s?

That is simple too:

ntp.domain.com … AAAA … IPv6 address 1
ntp.domain.com … AAAA … IPv6 address 2

Then both have the same ‘name’ but the DNS-server will serve both.

When checking into the pool management, it will detect both…and show both.

Is this what you mean? Like I have:

bas@workstation:~$ nslookup ntp.heppen.be
Server:		127.0.0.53
Address:	127.0.0.53#53

Non-authoritative answer:
Name:	ntp.heppen.be
Address: 77.109.90.72
Name:	ntp.heppen.be
Address: 51.75.149.45
Name:	ntp.heppen.be
Address: 212.187.8.48
Name:	ntp.heppen.be
Address: 87.118.104.17
Name:	ntp.heppen.be
Address: 2001:41d0:700:1e9d::ec3d:bd92
Name:	ntp.heppen.be
Address: 2001:1b60:2:1:1126:104:0:1

1 call, lists them all.

To mix them with IPv4…list the IPv4’s with the A record.

1 Like

NTS also uses TCP port 4460 for IPv4 and IPv6. You need to open it if you want NTS clients to connect to your server. I run an NTS myself. Setting up was pretty easy on Linux. Got certs, added them to chrony.conf, opened TCP port 4460 and off we go. Luckily, I have an automated system with certbot and systemd timers to renew certs when it’s their time.

I’ve updated the DNS record with a few more AAAA records pointing to the specific IPv6 addresses of my timeservers. Works great. Nice!

Next step is to get myself a TLS certificate. I will try LetsEncrypt first and see how far I get, lol. Thanks all!

1 Like

Beware, LetsEncrypt expects an HTTP conformation that the website is there and functioning.
If it doesn’t get an response it won’t work.

However, I do not understand why you want to do time encrypted as it’s not secret information.
Just makes things more complicated without bennefits.

Just experimenting, lol
Tinkering and trying things out. Nothing more.

DNS-01 ACME challenges work fine and are particularly useful for situations where there is no web server involved. More things than web servers use TLS certs!

No need to involve a separate web server, or resort to DNS validation which certainly works well, but in my impression is more effort manually configuring DNS, or having to configure certbot to interact with the DNS provider. When…

YMMV.

If you can use it, as I have other stuff running on port 80 and 443 is remapped via keyhelp to my home machine http.

Certbot doesn’t like that one bit, nor does LetsEncrypt. :slight_smile:

You are the one who brought up the need to run a webserver, as in there not being one being a problem, that is what I was referring to, i.e., that not currently having one wasn’t an issue.

Making certbot work when there already is a webserver is no problem, either, just not as straightforward, and approach varying depending on current setup and personal preferences/comfort levels. Again, YMMV.

Other than that, I had understood that there currently was no webserver, so unless that was a misunderstanding, that was the backdrop of my comment, as in such a case, this seems to be the easiest route, and potential conflict with a pre-existing webserver isn’t an issue. I didn’t say it would work for you.

I typical run into troubles, as I run stuff often NOT the way it’s designed.

Normally I look at the code and rewrite stuff to make it work :crazy_face:

But running encrypted timeservers is useless, I can not think of anything to do that.

It’s not like a bank is trusting us for time, maybe reference, but trust me they use their own sources.

Just like oma.be, astronomical stuff, they join the pool, but with their own time-source.

When time really matters…they do not trust us, encrypted or not. :smile:

Yeah, I’d agree.

NTS is about authenticity and integrity, not encryption. The encryption is just in support of those, not, e.g., for keeping the time information confidential.

Sure, and NTS on its own doesn’t “automatically” provide that.

Sure, and if they want to be sure that their clients get their time from those own servers, and that it wasn’t tampered with on the path between client and server, guess what they could use if it was really important to them?

I mean, it’s like when you do online banking (assuming you do), or log into the pool’s management or forum sites, or want to do something on eBay or Amazon or GitLab or GitHub or a webmail provider or your video streaming provider or who else, where I assume you’d want to be sure when you enter your password or other sensitive information, that it is really the site you think you are connecting to before you enter such data. And to be sure only means that to some cryptographic level, you’re really connecting to the site whose URL your browser indicates.

Whether you then trust the server, of whose identity you can be sure to the extent that the cryptography involved allows, that it does the right thing with your data, or doesn’t infect your machine with malware, is another matter, and outside the scope of the cryptography.

Same with NTS, should @Kets_One share the URL of his server (in a secure way), then when you connect, you can verify that it is really his server, and not some middleman, that you are talking to. That is all NTS does, whether you trust the time the server provides is another matter, outside the scope of NTS. Just like you trusting your bank with your money is not based on their certificate as such, but that trust must be there beforehand.

I.e., the inverse is also true, and I guess that is what you are referring to: If one doesn’t trust a source of time like the pool in the first place, then running NTS to cryptographically verify that the communication partner is the pool is probably pointless.

Sure, but nobody claimed they would or should, at least not in this thread, so not sure what your point is.

@Kets_One made clear that all he wants is to tinker and try things out just for the sake of it, out of curiosity, to learn stuff I guess. That is why I set it up on my end.

If you don’t trust the pool…run your own stratum1…like I do.

I do trust the pool.

But why goto this lengths when it’s easy to buy a GPS.

Even the cheap non-PPS ones give a good time.

The pool keeps NORMAL systems on time, and no, they do not care about encryption.

Have you ever checked Windows and how bad it is for a client-station…it’s often 10 minutes to 10 hours wrong…without even checking what the time is.

Most people do not care one bit. Not even Microsoft.

So encrypt it? Why? For whom?

Apparently, you have not read, or not understood what I wrote, so I’ll leave it at that.

1 Like

Shit happens…I do not think the same as most other people.

I often encounter such remarks.

I hope you understand…often it’s not.