Re: [chrony-dev] Idea: Leapsecond info via DNS

[Rune Magnussen <rune@xxxxxxxxx>]

På Fri, 16 Sep 2016 17:48:29 +0200
Miroslav Lichvar <mlichvar@xxxxxxxxxx> skrev:
> On Wed, Sep 14, 2016 at 11:32:55PM +0200, Rune Magnussen wrote:
> > Hi
> > 
> > Poul-Henning Kamp has implemented a system to get leapsecond
> > information via DNS. I wonder if it is feasible to use in chronyd.
> > The benefit would be that there is no need to download and update
> > leapsecond files. On the other hand it adds a dependency on another
> > service. PHK has made a reference implementation in the form of a
> > test program here:
> > 
> > http://www.freebsd.dk/time/20151122.html  
> 
> It's an interesting idea. I like that it announces leap seconds one
>
[cut]
> 
> However, I'm not sure if this is the best approach for getting leap
> second information. DNS is normally unsecure, so a MITM attacker could
> inject a false leap second even if all NTP sources were
> authenticated. 
Is DNS worse than NTP-packets when it comes to MITM? 

> 
> I'd rather see chrony to get support for reading leap seconds from the
> "leap-seconds.list" file, which is distributed by multiple servers,
> and recommend running "sleep $[RANDOM] && wget -O ... https://....";
> from cron every month or so.
You would then have to make sure the checksums are downloaded from
another mirror than the file and the best mirrors would depend on where
you are. This seems almost as complicated as adding support for leap
seconds via DNS.

Regards Rune


--
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.