NTP protections

Read this and I want to ask:

Why not to add secure NTP support to make NTP more secure or even migrate to DNS-based time?

Size matters…

…and any kind of encryption is difficult without a roughly correct system time, but 98% of all OpenWrt systems don't have a battery backed rtc, so the time will be (vastly) off after a reboot, meet your chicken-and-egg problem.

If the topic is of particular interest to you, you could also derive the time from a GPS receiver or things like DCF77.

3 Likes

That article is quite aged.
autokey is not secure.
amplification protocol is not implemented in busybox at all.
nts (tls-based key generation) will have hard time to init when all ssl certs are expired.
4 ntp servers are configured to avoid single rogue server skewing time
Can you elaborate in which corner of DNS there is time?