On 19.01.22 20:44, Stephan Seitz wrote:
Am Mi, Jan 19, 2022 at 13:34:13 -0600 schrieb Richard Laager:
For people that want something more than systemd-timesyncd, e.g. to
get NTS, I think either are acceptable choices. It seems that the
consensus
Well, most people will use the default NTP server of the package and
don’t have a NTP server in their network.
And since Debian is trying to be as secure as possible, the default NTP
server should be ntpsec with as much activated NTS entries as possible.
I agree we should have a look at this (either ntpsec or chrony, both do
NTS), but I think this should be done completely independently of the
ntp.org->ntpsec migration.
I can think of two problems with running NTS enabled by default (I have
checked neither problem against any documentation, so it might be a
non-issue)
- AFAIK there is no pool.ntp.org (or similar) service only containing
NTS enabled timesources yet. I don't know how it would work either,
since you need to verify the peer with a standard X.509 certificate and
you don't know the expected CN from a DNS RR
- Since NTS leverages X.509, how does it work with a broken clock on
boot that is ticking outside of the certificate validity period?
Bernhard
