Archive > 21.1 Legacy Series
[Feature request] Chrony authselectmode
Mr.Goodcat:
Hi,
I recently decided to switch to chrony which is working great so far :D
Unfortunately though, the pluging doesn't allow to specify the authselectmode, i.e. how to handle NTS. Currently it seems to be set to "require", meaning all non-NTS servers are ignored. However, I'd like to run a mix of remote NTS servers plus local non-NTS servers. Thus it would be great if the options "prefer" and "mix" were available. Would it be possible to add this with an upcoming update? Thanks!
mimugmail:
Can you open a feature request in GitHub? I'll take it then
Mr.Goodcat:
Hi,
thank you for your help! :D
--- Quote from: mimugmail on July 19, 2021, 10:17:20 pm ---Can you open a feature request in GitHub? I'll take it then
--- End quote ---
I opened up a request on Github, not sure if this is the right format though:
https://github.com/opnsense/plugins/issues/2470
newsense:
The request is a bit non-sensical in that public NTP servers will be of a lower stratum than an internal one - which presumably will be tied to a GPS device. When mixing and matching multiple lower stratum clocks against a single stratum 0 one (gps/atomic) it will be discarded as
--- Quote --- 'x' = may be in error
--- End quote ---
The better option in the absence of an rtc clock would be to add the NTS servers both with DNS entries and IPs, so that a power outage doesn't create a chicken and egg problem when all SSL based services including DNS come up and nothing works because the time is incorrect.
Other alternatives to consider: Rpi + GPS dongle and/or RTC clock module.
koushun:
I would like to have this as well.
On my (VLAN) interfaces I have port redirect for 123 pointing to the Chrony service over at 127.0.0.1:123 (having the default NTPD disabled).
Chrony is using NTS enabled NTP servers:
time.cloudflare.com
nts.netnod.se
sth1.nts.netnod.se
sth2.nts.netnode.se
However, I have been unable to incorporate my RPi with GPS HAT with this setup, because the NTP server on the RPi does not use NTS.
I have not thought of the condition described in the comment from newsense.
It would induce a whole lot of problems when I come to think of it, because I do port redirect :53 to Unbound as well, which only uses DoT upstream servers (they are configured using IP - 95.215.19.53@853 - https://dns.njal.la ) - but in regards to certificates, time is of the essence.
Good cactch, newsense- thanks. Let's see if I find any ip addresses for these NTS enabled NTP servers. ..
Navigation
[0] Message Index
[#] Next page
Go to full version