[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
Re: ntpdate(8) and unbound(8) dependencies during boot
On 2020-10-15 00:55, Sad Clouds wrote:
On Wed, 14 Oct 2020 16:28:22 -0700
Jordan Geoghegan <jordan%geoghegan.ca@localhost> wrote:
1) Have ntp daemon check various trusted http/https servers at boot
to sanity check our clock and NTP data (no DNS needed, fall back to
HTTP only if clock is too broken to negotiate TLS)
2) Enjoy not having everything break on boot due to unfortunate lack
Hi, you say working DNS is not needed, so are you saying that OpenBSD
default ntpd config comes with a set of static IP addresses that point
to NTP servers running via https protocol?
Not exactly, there are no NTP servers running over HTTP, it's a similar
concept to the tlsdate util .
Basically all it's doing is extracting datestamps from the handshakes
with the web servers, and comparing it to the data it's receiving via
NTP (if any).
What's nice about this, is that because of DNS over HTTPS, there's a
number of highly available IP endpoints that have had TLS certs issued
to them, such as Quad9's 18.104.22.168 and Cloudflare's 22.214.171.124, 126.96.36.199 etc
By having all this fancy footwork done in one daemon (ntpd), it avoids
having to mess around with individual daemons like unbound in a vain
attempt to cope with broken clocks.
None of this is in any RFC, and may very well break in the future, but
at least it's a working solution for right now until the big brains can
engineer a proper, purpose-built solution.
Main Index |
Thread Index |