Re: [chrony-users] NTS: Limiting

[ Thread Index | Date Index | More chrony.tuxfamily.org/chrony-users Archives ]

To: chrony-users@xxxxxxxxxxxxxxxxxxxx
Subject: Re: [chrony-users] NTS: Limiting
From: Karol Babioch <karol@xxxxxxxxxx>
Date: Wed, 20 Jan 2021 10:03:57 +0100
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=babioch.de; s=24406; t=1611133437; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FuDFwH63mmciViUc207GP6NlJ+n0w9R8ltpKAIGCE58=; b=PEvHJjgFjR1auGkITy9PCrXQl8rAx9N0BO7jhy4P19+5Ysqrb3LKlkFsH8NlXqEkktTV5B CoFOjFlS9rzK+xNxJAyIt2A/tNDvM1iUZqVdUSPoiF+ZHI9jXFu4CZ3aVv552VG51GmmHt n9ZGNd43V9/bhUkttq0D9R1mS7HrdHqON2Sgd4QxGAsekLrdzOZ8wx2g9KpjlNWP5xMBqA Jk0RAYK5PNesaxAi+3otLYznKjmFqHv6Zzvypt7rpgNHPMycDMtVjBwa9xTX1UqRQLT5xh 0ySpqX4OlM+jYu3krt3LoIKIfmjClTqCta6Quxw1D33M52DjYhfNiJCTIGJZLw==
Dkim-signature: v=1; a=ed25519-sha256; c=relaxed/relaxed; d=babioch.de; s=43975; t=1611133437; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: content-transfer-encoding:content-transfer-encoding: in-reply-to:in-reply-to:references:references; bh=FuDFwH63mmciViUc207GP6NlJ+n0w9R8ltpKAIGCE58=; b=ACM7JWyFfxOzfxpC1PLwhgt3O9yV/l6mpSxS7L5hUb6BEIwV+Mj1v7vrIzqXVyd+6/SUtk vnFgo3IFoLYjfpDQ==

Hi,

Am 19.01.21 um 19:02 schrieb Kurt Roeckx:
> In your config file
> you need to say something like "server ntp.example.org nts". This
> means you will only accept certificates that have ntp.example.org
> in the certificate. If you only trust Let's encrypt, you will only
> trust certificates issued by Let's encrypt for ntp.example.org.

Yes, that is correct when you specify servers explicitly.

> I have no idea what kind of attack surface you have in mind.
I'm wondering how this behaves in case of pools, i.e. when I run a
private pool of NTP servers, i.e. "pool.example.com".

When I have something like this in my chrony.conf:

> pool pool.example.com iburst maxsources 3

Is NTS even possible in such a context? AFAIK only A records with IP
addresses are resolved, so I'm not sure if and how certificates can be
validated.

Does anyone know?

Best regards,
Karol Babioch

-- 
To unsubscribe email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "unsubscribe" in the subject.
For help email chrony-users-request@xxxxxxxxxxxxxxxxxxxx 
with "help" in the subject.
Trouble?  Email listmaster@xxxxxxxxxxxxxxxxxxxx.

Follow-Ups:
- Re: [chrony-users] NTS: Limiting
  - From: FUSTE Emmanuel
- Re: [chrony-users] NTS: Limiting
  - From: Miroslav Lichvar

References:
- [chrony-users] NTS: Limiting
  - From: Karol Babioch
- Re: [chrony-users] NTS: Limiting
  - From: Kurt Roeckx
- Re: [chrony-users] NTS: Limiting
  - From: Karol Babioch

Messages sorted by: [ date | thread ]
Prev by Date: Re: [chrony-users] NTS: Limiting
Next by Date: Re: [chrony-users] NTS: Limiting
Previous by thread: Re: [chrony-users] NTS: Limiting
Next by thread: Re: [chrony-users] NTS: Limiting

Mail converted by MHonArc 2.6.19+

http://listengine.tuxfamily.org/