Time Risk
How CNX Addresses Each Vector
The attack surface documented in this collection has four structural components: an unauthenticated protocol, an open pool infrastructure, a DNS dependency, and an inherited CA trust model. CNX Precision Time removes all four — at the architectural level, not through configuration hardening of standard NTP.
Private trust anchor: replacing 150 CAs with one
The previous section established that a standard NTS deployment delegates the identity of the time authority to approximately 150 public certificate authorities the institution did not audit.
CNX Precision Time issues service certificates from a private root CA dedicated exclusively to the time service. The institution installs the CNX root anchor once. From that point, the TLS handshake during NTS key exchange accepts only certificates that chain to the CNX root. The 150-organisation public CA bundle is not consulted for time. A compromised public CA — regardless of which one, regardless of what certificate it issues — cannot produce a certificate this client will accept as a CNX time server.
The trust question has a defined, auditable answer: one root CA, one operator, one jurisdiction.
Eliminating DNS from the synchronisation path
The DNS cache poisoning vector demonstrated in previous sections applies to any NTP deployment that resolves server addresses via DNS — including Chronos, which queries up to 24 servers and thereby widens the poisoning surface.
CNX Precision Time clients pin the NTS server hostname to the CNX anycast address directly in /etc/hosts. The chrony configuration references the hostname; the operating system resolves it locally. No DNS query leaves the machine during synchronisation. The TLS handshake validates against the hostname in the certificate, maintaining full certificate validation without any DNS dependency.
The DNS poisoning vector is removed structurally — not mitigated, not rate-limited, removed.
Authenticated transport: closing off-path and on-path injection
NTS-KE establishes a TLS session with the CNX Stratum-1 server and derives per-session AEAD keys. Subsequent NTP packets carry authenticated extension fields bound to those keys.
The CVE-2015-7705 “Priming the Pump” attack requires spoofing queries on behalf of the victim to trigger server-side rate-limiting. NTS unicast cookies are session-specific and cryptographically bound to the client identity — an off-path attacker cannot generate valid queries on behalf of a subscribed client without the session keys. The IPv4 fragmentation injection vector requires the attacker to control the payload of a reassembled packet; authenticated extension fields cause the client to reject any packet whose payload has been substituted.
Both off-path vectors documented in this collection are closed by authenticated transport.
Sovereign pool: closing pool injection and Marzullo manipulation
CNX Precision Time clients synchronise to a dedicated, domestically governed Stratum-1 authority. There is no pool membership, no geo-DNS allocation, and no volunteer operator infrastructure.
The pool injection vector requires access to the pool selection mechanism. CNX Precision Time has none — the “pool” is a single controlled source. The Marzullo manipulation vector requires placing attacker-controlled servers into the client’s peer set. CNX Precision Time clients have a fixed, authenticated peer set of one. There is no statistical consensus to subvert.
Atomic holdover: removing the external dependency
Standard NTP — including NTS over public providers — depends on continuous internet connectivity. If the upstream link fails, synchronisation stops and the local oscillator drifts immediately at its uncontrolled hardware rate.
CNX Precision Time is disciplined by in-country Rubidium atomic oscillators. In a total GNSS blackout or international fibre cut, the system maintains autonomous stability with drift under 1 µs per day for over a year. The time primitive does not depend on the availability of external networks. The service continues from its own atomic standard.
For institutions with regulatory requirements on audit trail continuity, this holdover property is the difference between a managed degradation and a compliance event. A cloud-based NTS provider that loses connectivity produces a degraded time reference. CNX Precision Time produces the same reference it always does.
Summary: what each architectural decision closes
| Vector | Mechanism | How CNX closes it |
|---|---|---|
| KoD isolation (CVE-2015-7704/7705) | Off-path spoofing / rate-limit abuse | Session-specific authenticated NTS cookies |
| IPv4 fragmentation injection | Layer 3 reassembly tampering | Authenticated extension fields reject substituted payloads |
| Small-Step-Big-Step (CVE-2015-5300) | On-path injection at daemon restart | NTS authenticated transport; no unauthenticated step accepted |
| Pool injection + Marzullo manipulation | Open pool membership; consensus subversion | Fixed single Stratum-1 source; no pool membership |
| DNS cache poisoning | Resolver manipulation pre-TLS | /etc/hosts pin; no DNS query during sync |
| Public CA impersonation | Certificate issued by compromised CA | Private root CA; public bundle not consulted |
| Jurisdictional compelled modification | Foreign legal process | Cambodian jurisdiction; MoPT-licensed operator |
| Link failure / GNSS disruption | External dependency | In-country Rubidium atomic holdover <1 µs/day |