Mastodawn

Weekend Reads

* Post-quantum RPKI framework
https://arxiv.org/abs/2603.06968
* DNSSEC negative trust anchors
https://quad9.net/news/blog/dnssec-ntas-no-good-compromises/
* AS112 deployment characteristics
https://0x03c0.com/files/pam26-as112-camera-ready-with-notice.pdf
* Geoff Huston on Internet timekeeping
https://www.potaroo.net/ispcol/2026-03/nts.html
* Measuring IX route servers prefix coverage
https://blog.benjojo.co.uk/post/how-far-can-you-get-with-ix-route-servers

#RPKI #DNSSEC #DNS #NTP #BGP

pqRPKI: A Practical RPKI Architecture for the Post-Quantum Era

The Resource Public Key Infrastructure (RPKI) secures Internet routing by binding IP prefixes to authorized Autonomous Systems, yet its RSA foundations are vulnerable to quantum adversaries. A naive swap to post-quantum (PQ) signatures (eg Falcon) is a poor fit for RPKI's bulk model: every relying party (RP) repeatedly fetches and validates the entire global repository, so larger keys and signatures inflate bandwidth and CPU cost, especially during a long dual-stack transition. We present pqRPKI , a post-quantum RPKI framework that pairs a multi-layer Merkle Tree Ladder (MTL) with RPKI objects, customized to relocate per-object verification material from certificates into the Manifest. To update RPKI for Merkle tree based schemes, pqRPKI redesign the RPKI manifest and delegation chain, introduces a ladder-guided sync and bulk-verification workflow that lets validators localize diffs top-down and rebuild trees bottom-up. pqRPKI also preserves current RPKI objects and encodings, supports both hosted and delegated operation, and provides an additive migration path that coexists with today's trust anchors for dual-stack deployment with little size overhead. Implemented as a working publication point (PP) and RPs, we show that pqRPKI reduces repository footprint to 546.8 MB on average (65.5%/83.1% smaller than Falcon/ML-DSA), cuts full-cycle validation to 102.7 s, and achieves 118.3 s end-to-end PP to Router time, enabling sub-2-minute operating cadences with full-repository validation each cycle. Dual-stack deployment with RSA only adds just 3.4% size overhead versus today's RPKI repositories.

arXiv.org

Andi Chandler 4d ago

As well as the obvious implications to navigation both at sea and in the air, this is a timely reminder not to rely only on satellite-based signals for network time synchronisation.

#GPS #GNSS #jamming #NTP #PTP #time

https://www.france24.com/en/middle-east/20260306-surge-gps-interference-strait-hormuz-increases-shipping-risks

Surge in GPS interference around Strait of Hormuz increases shipping risks

More than 1,100 vessels have been hit by GPS interference across the Middle East Gulf since the start of the conflict, according to maritime firm Windward. Experts warn these attacks pose severe risks to navigation and are contributing to the de facto blockade of the strategic Strait of Hormuz.

FRANCE 24

LΞX/NØVΛ 🇪🇺4d ago

Do someone else use a satellite based time ?

i would like to make a second one, and set the first to use GPS (us) only.

set the second to use gallileo (eu) only.

and later have 2 more micro board to do the same with chinese and russian counterpart.

so i have multiple ntp source to be "bug resistant if one of them suddently send bad time".

#ntp #nts #time #times #satellite #server

FreeBSD Foundation 4d ago

At SCALE 23x, we had the opportunity to speak with Harlan Stenn, President and Board Chair of the Network Time Foundation.

Harlan shared how he began using FreeBSD in the early days, testing it alongside other systems, and ultimately chose to run it on all his machines because it was stable, reliable, and simply worked.

It’s always powerful to hear from long-time contributors who have seen FreeBSD evolve over decades and still trust it today.

#FreeBSD #SCALE23x #OpenSource #NTP #Community

Show thread

Markus Lindenberg 6d ago

Fun fact: The best way to enable ptp_kvm on #coreos is ensuring the kernel arg ignition.platform.id=qemu is set. Then coreos-platform-chrony-config.service will load ptp_kvm and configure chrony accordingly.

rpm-ostree kargs --replace=ignition.platform.id=qemu

I was wondering why another VM at Ionos had ptp_kvm working without me setting it up. It turned out my Hetzner VM had ignition.platform.id=metal which prevents automatic ptp_kvm setup.

#hetzner #timekeeping #ntp #ptp #kvm #ionos

Markus Lindenberg 6d ago

Today I learned: Hetzner supports ptp_kvm for time sync, no ntp servers necessary (although I still have them in my config).

#hetzner #timekeeping #ntp #ptp #kvm

Frehi Mar 9

Switched to ntpd-rs and NTS servers on my laptop.

https://github.com/pendulum-project/ntpd-rs

https://github.com/jauderho/nts-servers

#NTP #NTS

Bruce Simpson, Ph.D.Mar 8

PSA for time nuts: The #AppArmor profiles in #Debian Trixie for #gpsd and #chrony are broken if you try to use SOCK rather than SHM, for maximum #PPS accuracy. Bit me on #Proxmox 9.1. The #NTP SHM segment has to be polled by definition; SOCK is event-driven, so you only get #UNIX socket latency on pulses. So just put them in complain. Not an issue for me yet. The #SiRFStar IV #USB GPS I scored yesterday doesn't appear to do PPS sadly. Here's hoping, hoping, I stashed my GPSDO in safekeeping!

gregR ☯Mar 7

Internet est devenu un tel cloaque que #ntp va devoir être signé/chiffré
https://www.potaroo.net/ispcol/2026-03/nts.html

jbaggs Mar 5

I've been using my local DNS server to redirect systems on my local network to the local NTP server when they request commonly used NTP servers. The current list:

time.android.com        
time.apple.com          
time.asia.apple.com     
time.euro.apple.com     
time.aws.com            
sntp.brother.com        
time.cloudflare.com     
*.ntp-fireos.com
time.google.com         
time1.google.com        
time2.google.com        
time3.google.com        
time4.google.com        
time.windows.com
pool.ntp.org            
*.pool.ntp.org

Any fairly common ones I've missed?

(This post brought to you by nobody ever really implementing DHCP option 42.)

#NTP #DNS