NTP through DNS?

Danny Mayer mayer at pdmconsulting.net
Fri Sep 21 20:19:51 UTC 2018 

On 9/21/2018 3:57 PM, Mauricio Tavares wrote:
> On Fri, Sep 21, 2018 at 3:14 PM, Danny Mayer <mayer at pdmconsulting.net> wrote:
>> On 9/21/2018 7:56 AM, Ray Bellis wrote:
>>> On 21/09/2018 12:47, Danny Mayer wrote:
>>>
>>>> Putting on both my BIND9 and NTP hats for a moment:
>>>>
>>>> This answer makes no sense. NTP uses standard DNS FQDN's for all of its
>>>> references to NTP servers whether it's using pool, server or peer. I
>>>> have no idea where the reverse zone comes in though I haven't read the
>>>> whole thread. the NTP service all belong to domains, whether internal or
>>>> external. There is a DHCP option that we have seen but it seems to cause
>>>> more confusion that anything.
>>>>
>>>> You can create a DNS A or AAAA or even a CNAME in your local DNS that
>>>> the NTP server can use and it all works.
>>>>
>>>> Let me know if I misunderstood what this is really about.
>>>
>>> I believe you have.
>>>
>>> The discussion was about automated _discovery_ of the DNS name of your
>>> NTP server using an additional level of indirection so that it can be
>>> automatically configured without using DHCP.
>>
>> That's easy. Create a FQDN called ntp in your domain and have it be a
>> set of CNAMES pointing to the ntp servers you want to use. The ntpd pool
>> option will take care of setting the multiple servers. You don't need
>> the complexity of SRV records.
>>
>       But that is not, as Ray said, automated discovery. You are
> asking the computer to make assumptions, i.e. "if I am in domain
> hey.com, the ntp is ntp.hey.com." I am more on the lines of "hey
> domain thingie. You know where a lot of your basic network resources
> are. If you have a ntp server do you know where it is just like you
> know where your mail, LDAP, and kerbie servers are hiding?"

That's not what I wrote. Someone needs to maintain an SRV record. It's
not a good idea for domains to announce their NTP servers since they can
be abused by others not authorized to use them. We've had plenty of
abuse along those lines along with DDOS attacks. What the ntp CNAME
would do is point to a number of other servers to use and you don't need
to call it ntp, it's just a string.

Danny

More information about the bind-users mailing list