Re: NTP Sync Issue Across Tata (Europe)

[Mark Andrews <marka () isc org>]

> On 7 Aug 2023, at 12:02, Rubens Kuhl <rubensk () gmail com> wrote:
>
>
>
> On Sun, Aug 6, 2023 at 8:20 PM Mel Beckman <mel () beckman org> wrote:
> Or one can read recent research papers that thoroughly document the incredible fragility of the existing NTP 
> hierarchy and soberly consider their recommendations for remediation:
>
> The paper suggests the compromise of critical infrastructure. So, besides not using NTP, why not stop using DNS ? 
> Just populate a hosts file with all you need. 

Well DNS can be cryptographically secured.  There really isn’t any good reasons to not sign your zones today.  The 
majority of responses from authoritative servers are validated today so if you sign the responses will be checked.  
Unfortunately most to those validations still result in insecure instead of secure because people are not signing their 
zones.

> BTW, the stratum-0 source you suggested is known to have been manipulated in the past 
> (https://www.gps.gov/systems/gps/modernization/sa/), so you need to bet on that specific state actor not returning to 
> old habits. 
>
> OTOH, 4 of the 5 servers I suggested have their own atomic clock, and you can keep using GPS as well. If GPS goes 
> bananas on timing, that source will just be disregarded (one of the features of the NTP architecture that has been 
> pointed out over and over in this thread and you keep ignoring it). 
>
> Rubens 

-- 
Mark Andrews, ISC
1 Seymour St., Dundas Valley, NSW 2117, Australia
PHONE: +61 2 9871 4742              INTERNET: marka () isc org