On Thu, Apr 09, 2020 at 02:08:46PM -0500, Brandon Nielsen wrote:
Additionally, the 'nts' option for 'server' and
'pool' directives, to me,
does not make it immediately clear that NTS will be required for _all_ NTP
servers. To me, that option implies that NTS will be enforced for that
particular pool or server. Especially since I can have additional directives
without that option set (which admittedly makes little sense).
Yes, the nts option is specific to the source. Sometimes it makes
sense to mix non-NTS and NTS sources (e.g. in the case with trusted
network), but probably more commonly it does not.
Finally, the suggestion of bootstrapping NTP without using NTS when
TLS
checks fail concerns me. It needs to be clear when such a thing is allowed
or not.
The suggestion was to disable the TLS time check, not TLS+NTS
completely.
I would be much happier with some kind of `requireents` option in
`/etc/chrony.conf`. When set, NTS is an absolute hard requirement, no plain
NTP servers will be used (from DHCP or otherwise), NTP bootstrapping
mentioned above would also be forbidden. When not set, NTS is still verified
for cases where the option is set, but other NTP servers still work
(bootstrapping allowed?).
Good idea. An upstream option to control mixing of authenticated and
non-authenticated sources would make sense to me. This would nicely
minimize downstream-specific changes. I think it might have more than
just two settings (enabled, disabled) and we'll need to figure out
where exactly it should be controlled (e.g. configuration,
measurements, or source selection).
Thanks,
--
Miroslav Lichvar