DNS SRV records for NTP and NTS

For NTS the server must have an valid tls-certificate so random a or aaaa records doesn’t fit into it. Otherwise NTP Pool have to create for every joining server a ssl-certificate and would get to a certificate authority. I don’t think that this would be practical and can’t scale. If we want a secure and stable system for NTP Pool, I think srv dns records could fit into the system. Every Server is responsible to have a valid ssl-certificate. The pool can check if the server has a valid certificate and integrate it into the pool of server which are randomized for response in the srv records.

At the moment ntpsec or ntpd don’t support dns srv records for pool. But a lot of configuration management systems(ansible, chef, puppet) can resolve the dns srv record and write through a template some server records to the ntpsec configs. Of course would it be very cool if ntpsec could integrate dns srv records as pool source.

First, NTS is still a draft standard…

I don’t foresee the ntp pool trying to implement it as it would add a lot more complexity and likely only end up with a miniscule amount of actual use. Most of the queries to the pool are SNTP, likely from embedded / mobile devices.

Even if the pool had NTS it still would likely not be allowed for any corporate requirement needing traceable / verifiable time sources.

I can understand if you want to wait until NTS is approved. But you could add SRV records for NTP so some clients could start to integrate the possiblity to discover ntp-server over dns-srv records. If NTS is approved and there is enough requests, you could easily extend your system to also support _ntske._tcp… as srv record and not only _ntp._udp…

NTS’ goal is to make a trusted authenticated association between a time client and a time server.

the NTP pool is a pool of anonymous suppliers of servers providing time distributed to clients on a random base through a pool of anonymous DNS servers with rotating records.

To me it seems that NTS and the NTP pool are at two different sides of the universe.

NTS can also help to prevent the system for some ddos attacks. Its totally okay for me if NTS isn’t implemented in the first step. The NTP Pool is in my opionion a service for service discovery and DNS SRV records are the definition how to make a service discover over DNS. So I think DNS SRV records fit perfectly into the system of NTP Pool.

I am not sure you get the purpose of the NTP pool right. It is not a service for service discovery. It is a system where volunteers can provide their server resources for free to others to obtain time. That’s it. If there would be a layer of authentication on top of it most volunteers would simply quit because they lack the knowledge to implement it.

Also, many servers would just cripple under the extra load of encrypted negotiation between the client and server. Many nodes are serving thousands of NTP requests per second. Imagine what happens if these all need NTS. The DNS servers are currently handing out addresses of NTP servers with TTL times in the order of a few minutes. That will cause a lot of new handshakes with every newly handed out IP address.

And with around 4000 server IPs in the field and hundreds of country and vendor level time domains, I am not sure how you want to implement the SRV records without creating a DNS zone with a huge amount of records. Serving these SRV records will slow down the central DNS servers too much.

My understanding of the ntppool was that it provides 3 Services:

  1. Registration service for people who want to share their ntp-server with public
  2. Monitoring of the ntp-server registered to check if they are alive
  3. DNS-Loadbalance the DNS-Requests for diffrent regions and pools
    3a. Limit the number of servers returned
    3b. Randomize the order in the response

At the moment NTP pool only supports A or AAAA DNS-Requests for 3. My suggestion is also to provide SRV as valid DNS-Request. I don’t want to change the Loadbalance charakter of 3. So the response for a SRV-DNS-Request should answer with a limited set of servers and randomize the order of these.

I’d like to see the NTP pool to have some support for NTS. It couldn’t be compared to NTS servers provided by trusted companies, but I think it would still be good for preventing random MITM attacks on public wireless networks, etc.

I’m not sure if SRV records would be the best way to do that. Most NTP clients don’t support SRV records and it’s not trivial to implement. Wouldn’t the servers still have to have a certificate for a *.pool.ntp.org name? If it pointed to a different name, it would require DNSSEC to prevent MITM attackers from pointing to their servers, right?

A better option might be for the pool to periodically generate short-term certificates for the servers for an NTS specific zone (e.g. nts.pool.ntp.org). Most of my servers in the pool support NTS and I’d be happy to have them included in the zone.

To make it a bit more difficult for the attackers to get an NTS server in the pool there could be some restrictions, like you have to be a member of the pool for at least few years.

I think that the clients would implement the srv support if a such prominent project like ntp pool is supporting and offering it.

Why would anyone use Secure-NTP? It’s just a time-server.
NTS will and can not protect a system against hackers.
It’s just time send encrypted versus non-encrypted.
You can listen at it underway, but what is the point?
Spoofing will be hard as it uses a pool and the source-IP changes all the time.

If you want to protect yourself from possible-time-attacks, just use a GPS and don’t let it connect to the internet. Most safe way of timekeeping.
Also, NTP isn’t a continues thing, it polls a few times a day at best.

DDOS can not be stopped because it does NTS over NTP.

I fail to see the purpose as if it really needs to be that safe and secure, a simple GPS solves it in total.