On 19.01.22 20:44, Stephan Seitz wrote:
Am Mi, Jan 19, 2022 at 13:34:13 -0600 schrieb Richard Laager:For people that want something more than systemd-timesyncd, e.g. to get NTS, I think either are acceptable choices. It seems that the consensusWell, most people will use the default NTP server of the package and don’t have a NTP server in their network.And since Debian is trying to be as secure as possible, the default NTP server should be ntpsec with as much activated NTS entries as possible.
I agree we should have a look at this (either ntpsec or chrony, both do NTS), but I think this should be done completely independently of the ntp.org->ntpsec migration.
I can think of two problems with running NTS enabled by default (I have checked neither problem against any documentation, so it might be a non-issue)
- AFAIK there is no pool.ntp.org (or similar) service only containing NTS enabled timesources yet. I don't know how it would work either, since you need to verify the peer with a standard X.509 certificate and you don't know the expected CN from a DNS RR
- Since NTS leverages X.509, how does it work with a broken clock on boot that is ticking outside of the certificate validity period?
Bernhard