Discussion:
NTP through DNS?
Mauricio Tavares
2018-09-19 14:08:34 UTC
Permalink
Stupid question: can I publish/query the NTP server through DNS the
same way I can ask who is doing LDAP?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Andrew Latham
2018-09-19 14:12:44 UTC
Permalink
You can add SRV records for NTP to your domain if that is what you are
asking.
Post by Mauricio Tavares
Stupid question: can I publish/query the NTP server through DNS the
same way I can ask who is doing LDAP?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
- Andrew "lathama" Latham -
Danny Mayer
2018-09-21 11:57:38 UTC
Permalink
Post by Andrew Latham
You can add SRV records for NTP to your domain if that is what you are
asking.
NTP doesn't use SRV records and I don't see a use case to do so.
Therefore I have no idea why this would be any benefit. You can add NTP
specific FQDN's as A or AAAA or CNAME records if that would be helpful.

Danny
Post by Andrew Latham
Stupid question: can I publish/query the NTP server through DNS the
same way I can ask who is doing LDAP?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Warren Kumari
2018-09-21 19:56:48 UTC
Permalink
Post by Danny Mayer
Post by Andrew Latham
You can add SRV records for NTP to your domain if that is what you are
asking.
NTP doesn't use SRV records and I don't see a use case to do so.
Well, apparently at one point you did :-) --
http://lists.ntp.org/pipermail/questions/2004-December/003645.html

It seems that FreeIPA does actually use SRV for NTP (
https://www.redhat.com/archives/freeipa-users/2014-August/msg00254.html)
It shows up in various other FreeIPA discussion and some mentions of is
being used with NetApp.


W


Therefore I have no idea why this would be any benefit. You can add NTP
Post by Danny Mayer
specific FQDN's as A or AAAA or CNAME records if that would be helpful.
Danny
Post by Andrew Latham
Stupid question: can I publish/query the NTP server through DNS the
same way I can ask who is doing LDAP?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
I don't think the execution is relevant when it was obviously a bad idea in
the first place.
This is like putting rabid weasels in your pants, and later expressing
regret at having chosen those particular rabid weasels and that pair of
pants.
---maf
Mukund Sivaraman
2018-09-19 14:16:45 UTC
Permalink
Post by Mauricio Tavares
Stupid question: can I publish/query the NTP server through DNS the
same way I can ask who is doing LDAP?
An NTP serice doesn't belong to a domain, so maybe not (I don't know of
one off my mind).

For provisioning, there are DHCP options to do this. E.g., with ISC-DHCP
and 10.98.0.5 as the NTP server:

subnet 10.98.0.0 netmask 255.255.0.0 {
...
option ntp-servers 10.98.0.5;
}

and perhaps also use "tcode" and "time-offset" options to set the
timezone.

But a real bummer is that some DHCP clients (e.g., Android phones) do
not make use of this option, and don't even provide a config setting to
do so. IIRC they synchronize time via the cell phone signal.

Mukund
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Mauricio Tavares
2018-09-19 14:59:28 UTC
Permalink
Post by Andrew Latham
You can add SRV records for NTP to your domain if that is what you are
asking.
Thanks. I was trying to query for it using dig and then realized
I did not know if that is doable.
Post by Andrew Latham
Post by Mauricio Tavares
Stupid question: can I publish/query the NTP server through DNS the
same way I can ask who is doing LDAP?
An NTP serice doesn't belong to a domain, so maybe not (I don't know of
one off my mind).
Not necessarily; I can name a few universities and business who
offer their own NTP servers to their internal systems. AFAIK, this is
considered good practice.
Post by Andrew Latham
For provisioning, there are DHCP options to do this. E.g., with ISC-DHCP
subnet 10.98.0.0 netmask 255.255.0.0 {
...
option ntp-servers 10.98.0.5;
}
and perhaps also use "tcode" and "time-offset" options to set the
timezone.
But a real bummer is that some DHCP clients (e.g., Android phones) do
not make use of this option, and don't even provide a config setting to
do so. IIRC they synchronize time via the cell phone signal.
Add Windows devices to the list.
Post by Andrew Latham
Mukund
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Andrew Latham
2018-09-19 15:12:37 UTC
Permalink
Additionally you may route all outbound requests for NTP to a local source
found from an DNS lookup.

Benefits could be:
* Control of time sources (correct a hardcoded address that is no longer
valid)
* Mitigate attack vectors
* Mitigate bufferbloat

DNS is an important piece to this puzzle and SRV records can be useful when
devices support them. It does not hurt to add the SRV records for common
services.
Post by Mauricio Tavares
Post by Andrew Latham
You can add SRV records for NTP to your domain if that is what you are
asking.
Thanks. I was trying to query for it using dig and then realized
I did not know if that is doable.
Post by Andrew Latham
Post by Mauricio Tavares
Stupid question: can I publish/query the NTP server through DNS the
same way I can ask who is doing LDAP?
An NTP serice doesn't belong to a domain, so maybe not (I don't know of
one off my mind).
Not necessarily; I can name a few universities and business who
offer their own NTP servers to their internal systems. AFAIK, this is
considered good practice.
Post by Andrew Latham
For provisioning, there are DHCP options to do this. E.g., with ISC-DHCP
subnet 10.98.0.0 netmask 255.255.0.0 {
...
option ntp-servers 10.98.0.5;
}
and perhaps also use "tcode" and "time-offset" options to set the
timezone.
But a real bummer is that some DHCP clients (e.g., Android phones) do
not make use of this option, and don't even provide a config setting to
do so. IIRC they synchronize time via the cell phone signal.
Add Windows devices to the list.
Post by Andrew Latham
Mukund
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
- Andrew "lathama" Latham -
Mauricio Tavares
2018-09-19 15:16:34 UTC
Permalink
Post by Andrew Latham
Additionally you may route all outbound requests for NTP to a local source
found from an DNS lookup.
* Control of time sources (correct a hardcoded address that is no longer
valid)
* Mitigate attack vectors
* Mitigate bufferbloat
Wait! There is more!

* Provide NTP for hosts which cannot reach the outside world
* Keep Kerberos happy as the NTP server is not far.
Post by Andrew Latham
DNS is an important piece to this puzzle and SRV records can be useful when
devices support them. It does not hurt to add the SRV records for common
services.
Post by Mauricio Tavares
Post by Andrew Latham
You can add SRV records for NTP to your domain if that is what you are
asking.
Thanks. I was trying to query for it using dig and then realized
I did not know if that is doable.
Post by Andrew Latham
Post by Mauricio Tavares
Stupid question: can I publish/query the NTP server through DNS the
same way I can ask who is doing LDAP?
An NTP serice doesn't belong to a domain, so maybe not (I don't know of
one off my mind).
Not necessarily; I can name a few universities and business who
offer their own NTP servers to their internal systems. AFAIK, this is
considered good practice.
Post by Andrew Latham
For provisioning, there are DHCP options to do this. E.g., with ISC-DHCP
subnet 10.98.0.0 netmask 255.255.0.0 {
...
option ntp-servers 10.98.0.5;
}
and perhaps also use "tcode" and "time-offset" options to set the
timezone.
But a real bummer is that some DHCP clients (e.g., Android phones) do
not make use of this option, and don't even provide a config setting to
do so. IIRC they synchronize time via the cell phone signal.
Add Windows devices to the list.
Post by Andrew Latham
Mukund
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
- Andrew "lathama" Latham -
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Ray Bellis
2018-09-19 15:19:12 UTC
Permalink
Post by Mauricio Tavares
Post by Mukund Sivaraman
An NTP serice doesn't belong to a domain, so maybe not (I don't know of
one off my mind).
Not necessarily; I can name a few universities and business who
offer their own NTP servers to their internal systems. AFAIK, this is
considered good practice.
That's not the point that Mukund was making.

An NTP server is part of your local network configuration. Your domain
name is also part of your local network configuration. As such, these
two values are often served by DHCP.

That does not mean, though, that there is a one-to-one mapping from your
domain name to your preferred set of NTP servers.

One could have numerous subnets located all over the planet with
different NTP servers, but all sharing the same domain name.

If it were feasible to store an NTP server address in the DNS it would
more logically fit in the in-addr.arpa zone, and not in a forward zone.

Ray
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Andrew Latham
2018-09-19 15:37:32 UTC
Permalink
Post by Ray Bellis
Post by Mauricio Tavares
Post by Mukund Sivaraman
An NTP serice doesn't belong to a domain, so maybe not (I don't know of
one off my mind).
Not necessarily; I can name a few universities and business who
offer their own NTP servers to their internal systems. AFAIK, this is
considered good practice.
That's not the point that Mukund was making.
An NTP server is part of your local network configuration. Your domain
name is also part of your local network configuration. As such, these
two values are often served by DHCP.
That does not mean, though, that there is a one-to-one mapping from your
domain name to your preferred set of NTP servers.
One could have numerous subnets located all over the planet with
different NTP servers, but all sharing the same domain name.
If it were feasible to store an NTP server address in the DNS it would
more logically fit in the in-addr.arpa zone, and not in a forward zone.
Many organizations have per site "views" of the zone so it actually works
out well. There are many ways of building functional infrastructure. I
agree there are many applications where this setup would not be useful,
just addressing OP.
Post by Ray Bellis
Ray
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
- Andrew "lathama" Latham -
Kevin Darcy
2018-09-19 21:59:54 UTC
Permalink
I'll just toss in the factoid that NTP can be run on multicast or anycast,
which may negate some of the motivation for using a DNS name to access the
service.


- Kevin
Post by Andrew Latham
Post by Ray Bellis
Post by Mauricio Tavares
Post by Mukund Sivaraman
An NTP serice doesn't belong to a domain, so maybe not (I don't know of
one off my mind).
Not necessarily; I can name a few universities and business who
offer their own NTP servers to their internal systems. AFAIK, this is
considered good practice.
That's not the point that Mukund was making.
An NTP server is part of your local network configuration. Your domain
name is also part of your local network configuration. As such, these
two values are often served by DHCP.
That does not mean, though, that there is a one-to-one mapping from your
domain name to your preferred set of NTP servers.
One could have numerous subnets located all over the planet with
different NTP servers, but all sharing the same domain name.
If it were feasible to store an NTP server address in the DNS it would
more logically fit in the in-addr.arpa zone, and not in a forward zone.
Many organizations have per site "views" of the zone so it actually works
out well. There are many ways of building functional infrastructure. I
agree there are many applications where this setup would not be useful,
just addressing OP.
Post by Ray Bellis
Ray
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
- Andrew "lathama" Latham -
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
Danny Mayer
2018-09-21 11:47:46 UTC
Permalink
Post by Ray Bellis
Post by Mauricio Tavares
Post by Mukund Sivaraman
An NTP serice doesn't belong to a domain, so maybe not (I don't know of
one off my mind).
Not necessarily; I can name a few universities and business who
offer their own NTP servers to their internal systems. AFAIK, this is
considered good practice.
That's not the point that Mukund was making.
An NTP server is part of your local network configuration. Your domain
name is also part of your local network configuration. As such, these
two values are often served by DHCP.
That does not mean, though, that there is a one-to-one mapping from your
domain name to your preferred set of NTP servers.
One could have numerous subnets located all over the planet with
different NTP servers, but all sharing the same domain name.
If it were feasible to store an NTP server address in the DNS it would
more logically fit in the in-addr.arpa zone, and not in a forward zone.
Putting on both my BIND9 and NTP hats for a moment:

This answer makes no sense. NTP uses standard DNS FQDN's for all of its
references to NTP servers whether it's using pool, server or peer. I
have no idea where the reverse zone comes in though I haven't read the
whole thread. the NTP service all belong to domains, whether internal or
external. There is a DHCP option that we have seen but it seems to cause
more confusion that anything.

You can create a DNS A or AAAA or even a CNAME in your local DNS that
the NTP server can use and it all works.

Let me know if I misunderstood what this is really about.

Danny
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Ray Bellis
2018-09-21 11:56:40 UTC
Permalink
Post by Danny Mayer
This answer makes no sense. NTP uses standard DNS FQDN's for all of its
references to NTP servers whether it's using pool, server or peer. I
have no idea where the reverse zone comes in though I haven't read the
whole thread. the NTP service all belong to domains, whether internal or
external. There is a DHCP option that we have seen but it seems to cause
more confusion that anything.
You can create a DNS A or AAAA or even a CNAME in your local DNS that
the NTP server can use and it all works.
Let me know if I misunderstood what this is really about.
I believe you have.

The discussion was about automated _discovery_ of the DNS name of your
NTP server using an additional level of indirection so that it can be
automatically configured without using DHCP.

Ray
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Danny Mayer
2018-09-21 19:14:41 UTC
Permalink
Post by Ray Bellis
Post by Danny Mayer
This answer makes no sense. NTP uses standard DNS FQDN's for all of its
references to NTP servers whether it's using pool, server or peer. I
have no idea where the reverse zone comes in though I haven't read the
whole thread. the NTP service all belong to domains, whether internal or
external. There is a DHCP option that we have seen but it seems to cause
more confusion that anything.
You can create a DNS A or AAAA or even a CNAME in your local DNS that
the NTP server can use and it all works.
Let me know if I misunderstood what this is really about.
I believe you have.
The discussion was about automated _discovery_ of the DNS name of your
NTP server using an additional level of indirection so that it can be
automatically configured without using DHCP.
That's easy. Create a FQDN called ntp in your domain and have it be a
set of CNAMES pointing to the ntp servers you want to use. The ntpd pool
option will take care of setting the multiple servers. You don't need
the complexity of SRV records.

Danny
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Mauricio Tavares
2018-09-21 19:57:09 UTC
Permalink
Post by Danny Mayer
Post by Ray Bellis
Post by Danny Mayer
This answer makes no sense. NTP uses standard DNS FQDN's for all of its
references to NTP servers whether it's using pool, server or peer. I
have no idea where the reverse zone comes in though I haven't read the
whole thread. the NTP service all belong to domains, whether internal or
external. There is a DHCP option that we have seen but it seems to cause
more confusion that anything.
You can create a DNS A or AAAA or even a CNAME in your local DNS that
the NTP server can use and it all works.
Let me know if I misunderstood what this is really about.
I believe you have.
The discussion was about automated _discovery_ of the DNS name of your
NTP server using an additional level of indirection so that it can be
automatically configured without using DHCP.
That's easy. Create a FQDN called ntp in your domain and have it be a
set of CNAMES pointing to the ntp servers you want to use. The ntpd pool
option will take care of setting the multiple servers. You don't need
the complexity of SRV records.
But that is not, as Ray said, automated discovery. You are
asking the computer to make assumptions, i.e. "if I am in domain
hey.com, the ntp is ntp.hey.com." I am more on the lines of "hey
domain thingie. You know where a lot of your basic network resources
are. If you have a ntp server do you know where it is just like you
know where your mail, LDAP, and kerbie servers are hiding?"
Post by Danny Mayer
Danny
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Danny Mayer
2018-09-21 20:19:51 UTC
Permalink
Post by Mauricio Tavares
Post by Danny Mayer
Post by Ray Bellis
Post by Danny Mayer
This answer makes no sense. NTP uses standard DNS FQDN's for all of its
references to NTP servers whether it's using pool, server or peer. I
have no idea where the reverse zone comes in though I haven't read the
whole thread. the NTP service all belong to domains, whether internal or
external. There is a DHCP option that we have seen but it seems to cause
more confusion that anything.
You can create a DNS A or AAAA or even a CNAME in your local DNS that
the NTP server can use and it all works.
Let me know if I misunderstood what this is really about.
I believe you have.
The discussion was about automated _discovery_ of the DNS name of your
NTP server using an additional level of indirection so that it can be
automatically configured without using DHCP.
That's easy. Create a FQDN called ntp in your domain and have it be a
set of CNAMES pointing to the ntp servers you want to use. The ntpd pool
option will take care of setting the multiple servers. You don't need
the complexity of SRV records.
But that is not, as Ray said, automated discovery. You are
asking the computer to make assumptions, i.e. "if I am in domain
hey.com, the ntp is ntp.hey.com." I am more on the lines of "hey
domain thingie. You know where a lot of your basic network resources
are. If you have a ntp server do you know where it is just like you
know where your mail, LDAP, and kerbie servers are hiding?"
That's not what I wrote. Someone needs to maintain an SRV record. It's
not a good idea for domains to announce their NTP servers since they can
be abused by others not authorized to use them. We've had plenty of
abuse along those lines along with DDOS attacks. What the ntp CNAME
would do is point to a number of other servers to use and you don't need
to call it ntp, it's just a string.

Danny
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Danny Mayer
2018-09-22 01:39:05 UTC
Permalink
Post by Danny Mayer
Post by Mauricio Tavares
Post by Danny Mayer
Post by Ray Bellis
The discussion was about automated _discovery_ of the DNS name of your
NTP server using an additional level of indirection so that it can be
automatically configured without using DHCP.
That's easy. Create a FQDN called ntp in your domain and have it be a
set of CNAMES pointing to the ntp servers you want to use. The ntpd pool
option will take care of setting the multiple servers. You don't need
the complexity of SRV records.
But that is not, as Ray said, automated discovery. You are
asking the computer to make assumptions, i.e. "if I am in domain
hey.com, the ntp is ntp.hey.com." I am more on the lines of "hey
domain thingie. You know where a lot of your basic network resources
are. If you have a ntp server do you know where it is just like you
know where your mail, LDAP, and kerbie servers are hiding?"
That's not what I wrote. Someone needs to maintain an SRV record. It's
not a good idea for domains to announce their NTP servers since they can
be abused by others not authorized to use them. We've had plenty of
abuse along those lines along with DDOS attacks. What the ntp CNAME
would do is point to a number of other servers to use and you don't need
to call it ntp, it's just a string.
but *nobody* cares about what is a good idea when the question was
simply "does ntp discovery work" where the answer is simply no
No, that's not true. Consider what you are doing. You are substituting
SRV records for CNAME records. There is nothing magical here. NTP can
use the CNAME records. Either way the records have to be configured.
What do you think you are discovering? SRV records aren't magic.

Danny
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Matus UHLAR - fantomas
2018-09-22 13:30:23 UTC
Permalink
Post by Danny Mayer
Post by Danny Mayer
Post by Mauricio Tavares
But that is not, as Ray said, automated discovery. You are
asking the computer to make assumptions, i.e. "if I am in domain
hey.com, the ntp is ntp.hey.com." I am more on the lines of "hey
domain thingie. You know where a lot of your basic network resources
are. If you have a ntp server do you know where it is just like you
know where your mail, LDAP, and kerbie servers are hiding?"
That's not what I wrote. Someone needs to maintain an SRV record. It's
not a good idea for domains to announce their NTP servers since they can
be abused by others not authorized to use them. We've had plenty of
abuse along those lines along with DDOS attacks. What the ntp CNAME
would do is point to a number of other servers to use and you don't need
to call it ntp, it's just a string.
but *nobody* cares about what is a good idea when the question was
simply "does ntp discovery work" where the answer is simply no
No, that's not true. Consider what you are doing. You are substituting
SRV records for CNAME records. There is nothing magical here. NTP can
use the CNAME records. Either way the records have to be configured.
What do you think you are discovering? SRV records aren't magic.
The OP request indicated that they wish for ntp autoconfiguration. There is
no autoconfiguration we know of, unless DHCP that was reported often not to
work.

using either CNAME or SRV records won't change the fact that ntp server does
not autoconfigure itself.

Neither of them also changes the fact that the NTP configuration is not
related to domain, but to the local network.
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Andrew Latham
2018-09-22 16:05:24 UTC
Permalink
chrony does today btw

- debian/chrony-helper:
- New helper script to make use of NTP servers obtained from DHCP and
_ntp._udp DNS SRV records.
Post by Matus UHLAR - fantomas
Post by Danny Mayer
Post by Danny Mayer
Post by Mauricio Tavares
But that is not, as Ray said, automated discovery. You are
asking the computer to make assumptions, i.e. "if I am in domain
hey.com, the ntp is ntp.hey.com." I am more on the lines of "hey
domain thingie. You know where a lot of your basic network resources
are. If you have a ntp server do you know where it is just like you
know where your mail, LDAP, and kerbie servers are hiding?"
That's not what I wrote. Someone needs to maintain an SRV record. It's
not a good idea for domains to announce their NTP servers since they
can
Post by Danny Mayer
Post by Danny Mayer
be abused by others not authorized to use them. We've had plenty of
abuse along those lines along with DDOS attacks. What the ntp CNAME
would do is point to a number of other servers to use and you don't
need
Post by Danny Mayer
Post by Danny Mayer
to call it ntp, it's just a string.
but *nobody* cares about what is a good idea when the question was
simply "does ntp discovery work" where the answer is simply no
No, that's not true. Consider what you are doing. You are substituting
SRV records for CNAME records. There is nothing magical here. NTP can
use the CNAME records. Either way the records have to be configured.
What do you think you are discovering? SRV records aren't magic.
The OP request indicated that they wish for ntp autoconfiguration. There is
no autoconfiguration we know of, unless DHCP that was reported often not to
work.
using either CNAME or SRV records won't change the fact that ntp server does
not autoconfigure itself.
Neither of them also changes the fact that the NTP configuration is not
related to domain, but to the local network.
--
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
Chernobyl was an Windows 95 beta test site.
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to
unsubscribe from this list
bind-users mailing list
https://lists.isc.org/mailman/listinfo/bind-users
--
- Andrew "lathama" Latham -
Danny Mayer
2018-09-24 14:15:32 UTC
Permalink
Post by Danny Mayer
Post by Danny Mayer
      But that is not, as Ray said, automated discovery. You are
asking the computer to make assumptions, i.e. "if I am in domain
hey.com, the ntp is ntp.hey.com." I am more on the lines of "hey
domain thingie. You know where a lot of your basic network resources
are. If you have a ntp server do you know where it is just like you
know where your mail, LDAP, and kerbie servers are hiding?"
That's not what I wrote. Someone needs to maintain an SRV record. It's
not a good idea for domains to announce their NTP servers since they can
be abused by others not authorized to use them. We've had plenty of
abuse along those lines along with DDOS attacks. What the ntp CNAME
would do is point to a number of other servers to use and you don't need
to call it ntp, it's just a string.
but *nobody* cares about what is a good idea when the question was
simply "does ntp discovery work" where the answer is simply no
No, that's not true. Consider what you are doing. You are substituting
SRV records for CNAME records. There is nothing magical here. NTP can
use the CNAME records. Either way the records have to be configured.
What do you think you are discovering? SRV records aren't magic.
The OP request indicated that they wish for ntp autoconfiguration. 
There is
no autoconfiguration we know of, unless DHCP that was reported often not to
work.
I worked with the DHCP working group a number of years ago to add
options for ntp configuration. The RFC has been released but I don't
have that ID handy. I have no idea whether any DHCP implementation is
using it today.
using either CNAME or SRV records won't change the fact that ntp server does
not autoconfigure itself.
Neither of them also changes the fact that the NTP configuration is not
related to domain, but to the local network.
Doesn't matter. The pool configuration option works like the server
option but sets up all of the servers that it finds rather than just
taking the first one on the list.

pool ntplist.yourdomain iburst

in your ntp.conf file works really well.

Danny
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.i
Ray Bellis
2018-09-23 10:24:30 UTC
Permalink
Post by Danny Mayer
No, that's not true. Consider what you are doing. You are substituting
SRV records for CNAME records. There is nothing magical here. NTP can
use the CNAME records. Either way the records have to be configured.
What do you think you are discovering? SRV records aren't magic.
SRV records aren't magic, but they are an "approved" way of discovering
services.

We've all seen what happened with the convention of "www." to "discover"
the HTTP service on a domain and how the (marketing folks) desire to
drop that has caused no end of CNAME related issues...

Ray

_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Dave Warren
2018-09-23 23:22:08 UTC
Permalink
Post by Ray Bellis
Post by Danny Mayer
No, that's not true. Consider what you are doing. You are substituting
SRV records for CNAME records. There is nothing magical here. NTP can
use the CNAME records. Either way the records have to be configured.
What do you think you are discovering? SRV records aren't magic.
SRV records aren't magic, but they are an "approved" way of discovering
services.
If you have a domain, yes. But it doesn't help with network based autodiscovery in a meaningful way. I would argue DHCP is the correct answer (even if it points to DNS and uses SRV records, the process starts with DHCP). But we also know that many clients don't use DHCP provided NTP servers, so split view DNS records are the only real practical solution that is client-independent, noting that it still needs some initial client configuration.
Post by Ray Bellis
We've all seen what happened with the convention of "www." to "discover"
the HTTP service on a domain and how the (marketing folks) desire to
drop that has caused no end of CNAME related issues...
Doesn't this predate SRV records?
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Danny Mayer
2018-09-24 14:00:49 UTC
Permalink
Post by Danny Mayer
but *nobody* cares about what is a good idea when the question was
simply "does ntp discovery work" where the answer is simply no
No, that's not true. Consider what you are doing. You are substituting
SRV records for CNAME records. There is nothing magical here. NTP can
use the CNAME records. Either way the records have to be configured.
What do you think you are discovering? SRV records aren't magic
* hell, the topic is "is ntp autodiscovery possible?"
* that's done with SRV records for supported services
* but nothing is using them in case of NTP
* so the whole answer to the thread is simply "no"
"NTP can use the CNAME records" makes no sense at all in this topic
the topic is not about what NTP can use, the topic is about unconfigured
machines *finding* the NTP server in the local network without any
manually configuration - not more, mot less
This is very simple to do. It does not require SRV records to implement.
Note that I am only answering for the ntp reference implementation.

In your domain file add entries like this:

locationntp CNAME ntp1.yourdomain
CNAME ntp2.yourdomain
CNAME externalntp.otherdomain
CNAME externalntp.someotherdomain

In your ntp.conf file put the following line:
pool locationntp.yourdomain

This will cause it to use ALL of the entries listed. You can have as
many as 10 entries in your DNS and it will use all of them. Don't use
less than 3, 4 is better.

Simple enough?

Danny
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Matus UHLAR - fantomas
2018-09-25 08:00:49 UTC
Permalink
Post by Danny Mayer
* hell, the topic is "is ntp autodiscovery possible?"
^^^^^^^^^^^^^
Post by Danny Mayer
* so the whole answer to the thread is simply "no"
"NTP can use the CNAME records" makes no sense at all in this topic
the topic is not about what NTP can use, the topic is about unconfigured
machines *finding* the NTP server in the local network without any
^^^^^^^^^^^
Post by Danny Mayer
manually configuration - not more, mot less
^^^^^^^^^^^^^^^^^^^^^^
this is called local configuration.
Post by Danny Mayer
Simple enough?
No. It requires local configuration of NTP server.
in that case, DNS-side solution is useless.
--
Matus UHLAR - fantomas, ***@fantomas.sk ; http://www.fantomas.sk/
Warning: I wish NOT to receive e-mail advertising to this address.
Varovanie: na tuto adresu chcem NEDOSTAVAT akukolvek reklamnu postu.
"One World. One Web. One Program." - Microsoft promotional advertisement
"Ein Volk, ein Reich, ein Fuhrer!" - Adolf Hitler
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Chris Thompson
2018-09-26 16:59:48 UTC
Permalink
On Sep 24 2018, Danny Mayer wrote:
[...]
Post by Danny Mayer
This is very simple to do. It does not require SRV records to implement.
Note that I am only answering for the ntp reference implementation.
locationntp CNAME ntp1.yourdomain
CNAME ntp2.yourdomain
CNAME externalntp.otherdomain
CNAME externalntp.someotherdomain
Assuming that you are running name server software that actually allows
you to have several CNAMEs with the same label, of course.

BIND8 with "multiple-cnames yes", perhaps? :-)
--
Chris Thompson
Email: ***@cam.ac.uk
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Mukund Sivaraman
2018-09-21 11:58:50 UTC
Permalink
Hi Danny
Post by Danny Mayer
You can create a DNS A or AAAA or even a CNAME in your local DNS that
the NTP server can use and it all works.
The original poster asked "can I publish/query the NTP server through
DNS the same way I can ask who is doing LDAP?"

That implied service discovery / config provisioning, not just
publishing address records of the NTP service in the DNS.

Mukund
_______________________________________________
Please visit https://lists.isc.org/mailman/listinfo/bind-users to unsubscribe from this list

bind-users mailing list
bind-***@lists.isc.org
https://lists.isc.org/mailman/listinfo/bind-users
Bob McDonald
2018-09-27 14:54:26 UTC
Permalink
Having multiple CNAME records for the same hsotname is a violation of
rfc1034. (that and bind9 won't allow it...)

Surely there must be some creative solution which doesn't a) violate the
DNS specs and b) doesn't suggest the use of deprecated software (bind8).

Regards,

Bob

Continue reading on narkive:
Loading...