Re: [chrony-users] NTS: Limiting

[FUSTE Emmanuel <emmanuel.fuste@xxxxxxxxxxxxxxx>]

Le 20/01/2021 à 10:03, Karol Babioch a écrit :
> Hi,
>
> Am 19.01.21 um 19:02 schrieb Kurt Roeckx:
>> In your config file
>> you need to say something like "server ntp.example.org nts". This
>> means you will only accept certificates that have ntp.example.org
>> in the certificate. If you only trust Let's encrypt, you will only
>> trust certificates issued by Let's encrypt for ntp.example.org.
> Yes, that is correct when you specify servers explicitly.
>
>> I have no idea what kind of attack surface you have in mind.
> I'm wondering how this behaves in case of pools, i.e. when I run a
> private pool of NTP servers, i.e. "pool.example.com".
>
> When I have something like this in my chrony.conf:
>
>> pool pool.example.com iburst maxsources 3
> Is NTS even possible in such a context? AFAIK only A records with IP
> addresses are resolved, so I'm not sure if and how certificates can be
> validated.
There is no NTS for the pool for now. Some technical pieces are missing 
and need to be defined/specified.
There is some propositions for a SRV record usage for NTP/NTS, but any 
projection is premature.
So the problem you try to solve does not exist now: you always specify 
server explicitly in a NTS context.

Emmanuel.N������y隊W!���������n���\��"������z)�.n7��Z+��f����|�������'��}���*+�����)�.n7��:蹹^f��X��f����'��}���*+