[ntp:questions] Re: Box not synchronizing
Richard B. Gilbert
rgilbert88 at comcast.net
Wed Jun 7 01:43:20 UTC 2006
mooron at mooron.com wrote:
> Steve Kostecke wrote:
>
>>On 2006-06-06, mooron at mooron.com <mooron at mooron.com> wrote:
>>
>>
>>>This is what I consider a minimal NTP.CONF:
>>>
>>>server x.x.x.x maxpoll 6
>>
>>ntpd automatically manages the poll period based upon a number of
>>factors. Under ideal conditions the poll period will increase to 1024
>>seconds (or 17.067 minutes).
>>
>>Forcing ntpd to poll someone elses' time server every 64 seconds is
>>considered abusive.
>
>
> He was talking about use on the local LAN, in which case,
> polling frequency is a non-issue.
>
>
>>>driftfile /etc/ntp.drift
>>>enable auth
>
>
> I actually got burned by this. I had someone set up a fake
> stratum 1 server with a "peer" statement in their configuration
> and fed me bad time. I specify it anyway just to be safe.
>
>
>>Authentication is enabled by default (at least for ntp 4.2.x).
>>
>>
>>>That simple configuration is all you really need in almost
>>>all cases.
>>
>>Your sample configuration is a _very_ bad example.
>
>
> Fine, please post what you consider to be a minimal
> configuration.
driftfile /var/ntp/ntp.drift
restrict default notrust nomodify
server <ip-address> iburst
restrict <ip-address> <ip mask> nomodify #Address of server above.
The restrict statements say by default trust no one to give you correct
time and allow no one to modify your ntpd parameters and to trust your
chosen server for time.
It's not a particularly good config, just a minimal config. To make it
a good config, add three more servers. A single server must be
followed, right or wrong. Two servers are the worst possible
configuration. Three ore okay but if you lose one you have only two
left; the worst possible case. Four servers allow ntpd to "vote out"
one bad server if need be. Five servers allow ntpd to vote out two bad
servers and seven servers protect you against three of them failing
somehow. Few sites need the kind of reliability provided by seven
servers and many people will encounter difficulty in finding seven good
servers. A log file may also be helpful.
Your chosen servers should have low round trip delay values; I prefer
delays of less than 20 milliseconds. This rule of thumb limits you to
servers within two or three hundred miles of you. Some servers, though
physically close to you may have delays much longer than the distance
will account for. An example of how this sort of thing might happen: a
site on the east coast of the US whose corporate head quarters are
located on the west coast and their internet connection goes through the
corporate headquarters. So the site is two miles from you in physical
space and 6000 miles away in net space.
More information about the questions
mailing list