Re: [chrony-dev] Idea: Leapsecond info via DNS

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-dev Archives ]


On Wed, Sep 14, 2016 at 11:32:55PM +0200, Rune Magnussen wrote:
> Hi
> 
> Poul-Henning Kamp has implemented a system to get leapsecond
> information via DNS. I wonder if it is feasible to use in chronyd. The
> benefit would be that there is no need to download and update
> leapsecond files. On the other hand it adds a dependency on another
> service. PHK has made a reference implementation in the form of a test
> program here:
> 
> http://www.freebsd.dk/time/20151122.html

It's an interesting idea. I like that it announces leap seconds one
month ahead. This could be useful on embedded devices or systems that
don't have (or update) the "right" timezones which chrony can use
with the the leapsectz directive.

Implementing it in chrony shouldn't be too difficult. It would
complement the get_tz_leap() function in reference.c. The biggest
problem I suspect would be avoiding conflicts with the (asynchronous)
DNS resolving that's performed for NTP sources.

However, I'm not sure if this is the best approach for getting leap
second information. DNS is normally unsecure, so a MITM attacker could
inject a false leap second even if all NTP sources were authenticated. 

I'd rather see chrony to get support for reading leap seconds from the
"leap-seconds.list" file, which is distributed by multiple servers,
and recommend running "sleep $[RANDOM] && wget -O ... https://....";
from cron every month or so.

-- 
Miroslav Lichvar

-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.


Mail converted by MHonArc 2.6.19+ http://listengine.tuxfamily.org/