Re: [chrony-dev] 'Bug/Implementation' fix for v3 NTP client using 'authentication' with key id == 0

[Miroslav Lichvar <mlichvar@xxxxxxxxxx>]

On Thu, May 07, 2026 at 03:28:47PM +0200, Miroslav Lichvar wrote:
> For NTPv3 there is RFC 1305. This spec is not clear on whether a key
> ID of zero is allowed in the NTP message either. Looking at the xntpd
> source code, it seems to be handled as an unauthenticated packet.
> 
> From a practical point of view, it makes no sense to send a request
> longer than the expected response. That causes an asymmetry in the
> network delay, which adds an error to the measured offset.
> 
> This wouldn't be the first odd thing that chronyd is willing to
> respond for compatibility. I'll think about it.

I have looked at this issue again and decided to leave it as it is.

The ntp.org ntpd responds to such requests with a crypto-NAK, i.e.
it's not interpreting zero key ID as no authentication, but as failed
authentication (missing or incorrect key). NTPv3 (RFC 1305) doesn't
have crypto-NAKs, so its responses are out of spec anyway.

The ntpsec ntpd doesn't respond to such requests at all, same as
chronyd. A majority of public NTP servers doesn't respond to these
requests.

The problem needs to be fixed on the client side.

-- 
Miroslav Lichvar


-- 
To unsubscribe email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "unsubscribe" in the subject.
For help email chrony-dev-request@xxxxxxxxxxxxxxxxxxxx with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.