Hi !
Does the pool iiiiin common have NTS support ? Or do you plan separate pools for this ?
Ciao Gerd
There were some discussion in the past, but no progress until now.
Hi !
Okā¦ im trying to be preparedā¦
BTW: must the cert point to host/domain name (cname) or to server name or to Ip address ?
Ciao Gerd
Server names work fine. I havenāt tested with an IP address in the certificate. Not all CAās support that, so it can be challenging to obtain certificates with an IP address.
I donāt recall if NTS as itās specified today supports this, but I think if we supported NTS the pool system would setup individual server names for each server (āserver-5a52x.pool-servers.ntppool.devā) and then having the certs be for those names (either with a public CA like letsencrypt or a small CA operated just for this by the pool).
If/when a server leaves the pool or is marked unhealthy for long enough the hostname and/or certificate could removed/invalidated.
Suggestions or discussion of how this would work by people knowledgable about NTS is most welcome!
1 Like
Here is an old discussion re: srv records and NTS. BTW I think most of you are nuts, and SRV records would be the only reasonable way to get NTS into the pool. Here is a ntpsec-only client-side bolt-on for an NTS pool using SRV records.
RFC8915 doesnāt have this, but there once was an attempt to do it:
This is a now expired draft from 2020. Havenāt heard anything about it since then.
The NTS for the NTP pool draft has:
Clients MAY periodically resolve the pool associated domain names to confirm the server is still trusted by the pool.Ā¶
That would turn over the pool server with most periodic resolutions if the NTS pool names were resolved similarly to today. Not a problem if those periodic resolutions were infrequent, and probably a good thing if the period were at least a day, preferably weeks. Unfortunately that was not specified in this first draft, and there are no more.
There is no need to have āsecure-timeā it serves no purpose.
Reasons:
1: If you are so insecure about time, use your own GPS.
2: If you donāt want this, use multiple sources to check time.
There is no reason at all to use NTS instead of NTP as itās quite simple to check time.
NTS has no place in timekeeping. We should NOT serve those records, as itās nonsense.
Same as public websites are encrypted, itās dumb. Not everything has to be encrypted.
If you donāt trust time, buy a GPS. Simple as that. Also a GPS works without Internet 
Besides the specific host name in the pool, the certificate might also have to include the wildcard domain as an alternative, or *.pool.ntp.org.
As broad as it is, I canāt think of how else to have the certificate to match the host name that a client may be using, such as pool.ntp.org or 0.pool.ntp.org or europe.pool.ntp.org or 1.asia.pool.ntp.org or ao.pool.ntp.org or 2.bv.pool.ntp.orgā¦
Yes, but this may not work with older versions of NTPsec:
1 Like
Then make it at least NTPsec v1.2.2.
Perhaps in the future it becomes easier and more doable:
3 Likes