ntp.conf

To: Greg Troxel <gdt%ir.bbn.com@localhost>, Erik Fair <fair%netbsd.org@localhost>, source-changes-d%NetBSD.org@localhost
Subject: ntp.conf
From: Alan Barrett <apb%cequrux.com@localhost>
Date: Sun, 12 Jan 2014 18:03:03 +0200

On Mon, 06 Jan 2014, Alan Barrett wrote:

On Mon, 06 Jan 2014, Erik Fair wrote:
Unless I misunderstand NTP configuration semantics, your additional"restrict" statements for the NTP pool names will do the wrongthing, in that each reference to a given netbsd.pool.ntp.org namereturns multiple IP addresses, in apparently random order, i.e. anattempt to guarantee no two queries return the same data.
Ergo, those restrict statements will most probably not end up withthe same IP address as their preceding "server" statements, as waspresumably your intent.
Yes, you are correct.  What should we do?
If you have "restrict default nopeer noquery" (the uncommented line inmy commit), then time service will still work, but the configuredservers will be denied query permission.
If you use "restrict default ignore", then time service does not work.

I propose to remove the commented-out "restrict default ignore",remove the various "restrict *.netbsd.pool.ntp.org" lines,and remove all mention of special "restrict" lines for eachpeer or server, and change a few comments. That will leave therestrict-related part of the default configuration like this:


[[[
# Access control restrictions.
# See /usr/share/doc/html/ntp/accopt.html for syntax.
# See <http://support.ntp.org/bin/view/Support/AccessRestrictions> for advice.
# Last match wins.
#
# Some of the more common keywords are:
#   ignore      Deny packets of all kinds.
#   kod         Send "kiss-o'-death" packets if clients exceed rate
#               limits.
#   nomodify    Deny attempts to modify the state of the server via
#               ntpq or ntpdc queries.
#   noquery     Deny all ntpq and ntpdc queries.  Does not affect time
#               synchronisation.
#   nopeer      Prevent establishing new peer associations.
#               Does not affect peers configured using "peer" lines.
#               Does not affect client/server time synchronisation.
#   noserve     Deny all time synchronisation.  Does not affect ntpq or
#               ntpdc queries.
#   notrap      Deny the trap subset of the ntpdc control message protocol.
#   notrust     Deny packets that are not cryptographically authenticated.
#
# By default, allow client/server time exchange without prior
# arrangement, but deny configuration changes, queries, and peer
# associations that were not explicitly configured.
#
restrict default kod nopeer noquery

# Fewer restrictions for the local subnet.
# (Uncomment and adjust as appropriate.)
#
#restrict 192.0.2.0 mask 255.255.255.0 kod nomodify notrap nopeer
#restrict 2001:db8:: mask ffff:ffff::  kod nomodify notrap nopeer

# No restrictions for localhost.
#
restrict 127.0.0.1
restrict ::1
]]]

Does that sound OK?

--apb (Alan Barrett)

References:
- Re: CVS commit: src/etc
  - From: Erik Fair
- Re: CVS commit: src/etc
  - From: Alan Barrett

Prev by Date: Re: CVS commit: src/etc
Next by Date: Re: use of bsd.sys.mk
Previous by Thread: Re: CVS commit: src/etc
Next by Thread: re: CVS commit: src/sys
Indexes:

Home | Main Index | Thread Index | Old Index