Can we hardcode roughtime IP?

[1f604]

Hi all,

A common problem faced by many is that DNS-over-HTTPS won't work if your clock is wrong, and you can't fix your clock because you can't resolve NTP domain names to IPs. The same problem seems to be present with roughtime - we can't connect to roughtime server if we can't resolve the roughtime domain names to IPs.

Is it possible to get a roughtime IP that we can just hardcode?

Thanks a lot.

[lukevalenta]

Great question! They're not currently documented as being static, but I don't expect the IPs for roughtime.cloudflare.com to change for the foreseeable future. (They're the same set of IPs as we advertise for time.cloudflare.com for NTP/NTS.)

dig +short A roughtime.cloudflare.com
162.159.200.1
162.159.200.123
dig +short AAAA roughtime.cloudflare.com
2606:4700:f1::123
2606:4700:f1::1

I'll leave this issue open until we make this more clear in the documentation. You should feel comfortable hard-coding those IPs for now. If anything changes (unlikely), we'll alert the roughtime mailing list with plenty of advance notice.

Keep in mind that we've recently announced some updates to our roughtime servers on that list: https://groups.google.com/a/chromium.org/g/proto-roughtime/c/vbmjoudG184

[cjpatton]

I agree that the IPs are not likely to change, but they are certainly subject to change. In general, relying on assets like public keys to be mapped to specific IPs is probably not a good idea.

Can you elaborate a bit more on your threat model? I'm wondering if relying on DoH (DNS-over-HTTPS) is actually needed. Perhaps plaintext DNS is an option?

[cjpatton]

Closing due to lack of activity. Feel free to re-open if you want to get this question answered.