On Wed, Apr 08, 2020 at 02:09:01PM -0500, Brandon Nielsen wrote: > On 4/8/20 3:42 AM, Miroslav Lichvar wrote: > > What is the issue with using untrusted DNS servers here? An NTS client > > is supposed to verify the certificates. Local MITM attackers shouldn't > > be able to force the client to synchronize to a different NTP server. > > (Of course, they can always disable the synchronization.) > > > > I'm not saying there is necessarily an issue, just a logical inconsistency. > If the DNS servers provided by DHCP are trusted, why would any plain NTP > servers also provided by DHCP not be trusted? I can do nefarious things with > either. I think it depends on the network. Is it yours or is it a random hotspot? In general neither should be trusted, but most applications don't rely on DNS being secure, so using random untrusted DNS servers from DHCP is usually not a major issue. I'm ignoring privacy issues. > Generally speaking, on a network I admin, if I've configured DHCP to provide > things like NTP and DNS servers, it's because I intend client devices to use > those things. While some devices choose to ignore DHCP provided DNS (and > NTP), I can still reroute those requests at the edge router. Is that also > possible with NTS? Even if it gets rerouted to a plain NTP server? No, an NTS-enabled client cannot be redirected to a different server (using a different certificate or NTS keys). That would be a security issue. It's similar to DNS over HTTPS. > I feel like if this is on by default we're basically saying nobody trusts > any provided NTP server unless it supports NTS. If that's the case, do away > with the 'trusted network' verbiage and just say that only NTS servers > provided over DHCP will be used. The NTP option in DHCP doesn't provide the client with a name of the server (at least in IPv4), so it couldn't try NTS even if it wanted. > Additionally, what about the no-internet case? Will a local, non-NTS NTP > server be acceptable in that case? I feel like that would be handled by the > change to PEERNTP you mention above. But then can't attackers "disable the > synchronization" as you mention above, essentially forcing us back to no > additional security? I think the installer could verify that NTS works (which implies working Internet connection) and if not, it would leave PEERNTP enabled. > > It would still work, even if we didn't use it by default. The name is > > just an alias for pool.ntp.org. The servers used in the current > > default configuration are not run by Fedora. > > > > Does the alias provide no additional functionality? Does it help with an > estimate of running Fedora machines in the wild? The alias is a "vendor" zone to give the pool admins some control in case our NTP clients create too much traffic and need to be stopped. I think the admins have some statistics on DNS traffic in specific zones, but I'm not privy to the data. > Will there be some kind of 'canary domain' like there is for DoH > (use-application-dns.net)? I don't think I saw any suggestions for implementing that. > Again from a network admin standpoint, if I > provide a local NTP server without NTS, I want an easy way to tell the > devices I manage to use it. The PEERNTP option will still work. It may just have a different default and/or have a new setting. -- Miroslav Lichvar _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx
