On 2020-10-15 00:55, Sad Clouds wrote:
On Wed, 14 Oct 2020 16:28:22 -0700 Jordan Geoghegan <jordan%geoghegan.ca@localhost> wrote:1) Have ntp daemon check various trusted http/https servers at boot to sanity check our clock and NTP data (no DNS needed, fall back to HTTP only if clock is too broken to negotiate TLS) 2) Enjoy not having everything break on boot due to unfortunate lack of RTC Regards, Jordan [1] https://man.openbsd.org/ntpd [2] https://marc.info/?l=openbsd-tech&m=142363400330522&w=2Hi, you say working DNS is not needed, so are you saying that OpenBSD default ntpd config comes with a set of static IP addresses that point to NTP servers running via https protocol?
Not exactly, there are no NTP servers running over HTTP, it's a similar concept to the tlsdate util [1].
Basically all it's doing is extracting datestamps from the handshakes with the web servers, and comparing it to the data it's receiving via NTP (if any).
What's nice about this, is that because of DNS over HTTPS, there's a number of highly available IP endpoints that have had TLS certs issued to them, such as Quad9's 9.9.9.9 and Cloudflare's 1.1.1.1, 1.0.0.1 etc
By having all this fancy footwork done in one daemon (ntpd), it avoids having to mess around with individual daemons like unbound in a vain attempt to cope with broken clocks.
None of this is in any RFC, and may very well break in the future, but at least it's a working solution for right now until the big brains can engineer a proper, purpose-built solution.
Regards, Jordan [1] https://github.com/ioerror/tlsdate