Chrony NTS Server: Configuration for Horizontal Scalability

I have implemented NTS service using Chrony.

I’d like to achieve horizontal scalability so that I have pool of NTS servers with single FQDN serving NTS.

Having a single server serving NTS is now a desirable configuration as it does not provide load balancing and high availability.

I’d like to configure a pool of servers configured with NTS, sharing secret keys in a shared file-system/directory.

So a client can talk to server 1 for KE but can use server 2 for NTP using cookies.

Is it possible ?

This may help:

https://chrony-project.org/doc/4.3/chrony.conf.html#ntsdumpdir2

ntsdumpdir directory

This directive specifies a directory where chronyd operating as an NTS server can save the keys which encrypt NTS cookies provided to clients. The keys are saved to a single file named ntskeys. When chronyd is restarted, reloading the keys allows the clients to continue using old cookies and avoids a storm of NTS-KE requests. By default, the server does not save the keys.

An example of the directive is:

ntsdumpdir /var/lib/chrony

Thanks.

Yes, it’s possible. On both servers needs to be set an ntsdumpdir directory. On the NTS-KE server you need to set ntsntpserver to the address or hostname of the NTS-NTP server. On the NTS-NTP server you need to set ntsrotate to 0 and once per week (assuming default ntsrotate on the NTS-KE server) periodically fetch (e.g. with scp or rsync) the ntskeys file from the ntsdumpdir directory on the NTS-KE server, reloading the file with chronyc reload keys.