Archive > 21.1 Legacy Series

[Feature request] Chrony authselectmode

(1/3) > >>

Mr.Goodcat:
Hi,

I recently decided to switch to chrony which is working great so far :D
Unfortunately though, the pluging doesn't allow to specify the authselectmode, i.e. how to handle NTS. Currently it seems to be set to "require", meaning all non-NTS servers are ignored. However, I'd like to run a mix of remote NTS servers plus local non-NTS servers. Thus it would be great if the options "prefer" and "mix" were available. Would it be possible to add this with an upcoming update? Thanks!

mimugmail:
Can you open a feature request in GitHub? I'll take it then

Mr.Goodcat:
Hi,

thank you for your help! :D


--- Quote from: mimugmail on July 19, 2021, 10:17:20 pm ---Can you open a feature request in GitHub? I'll take it then

--- End quote ---

I opened up a request on Github, not sure if this is the right format though:
https://github.com/opnsense/plugins/issues/2470

newsense:
The request is a bit non-sensical in that public NTP servers will be of a lower stratum than an internal one - which presumably will be tied to a GPS device. When mixing and matching multiple lower stratum clocks against a single stratum 0 one (gps/atomic) it will be discarded as
--- Quote --- 'x' = may be in error
--- End quote ---

The better option in the absence of an rtc clock would be to add the NTS servers both with DNS entries and IPs, so that a power outage doesn't create a chicken and egg problem when all SSL based services including DNS come up and nothing works because the time is incorrect.

Other alternatives to consider: Rpi + GPS dongle and/or RTC clock module.

koushun:
I would like to have this as well.

On my (VLAN) interfaces I have port redirect for 123 pointing to the Chrony service over at 127.0.0.1:123 (having the default NTPD disabled).

Chrony is using NTS enabled NTP servers:

time.cloudflare.com
nts.netnod.se
sth1.nts.netnod.se
sth2.nts.netnode.se

However, I have been unable to incorporate my RPi with GPS HAT with this setup, because the NTP server on the RPi does not use NTS.

I have not thought of the condition described in the comment from newsense.

It would induce a whole lot of problems when I come to think of it, because I do port redirect :53 to Unbound as well, which only uses DoT upstream servers (they are configured using IP - 95.215.19.53@853 - https://dns.njal.la ) - but in regards to certificates, time is of the essence.

Good cactch, newsense- thanks. Let's see if I find any ip addresses for these NTS enabled NTP servers. ..

Navigation

[0] Message Index

[#] Next page

Go to full version