[ntp:questions] Re: Box not synchronizing

Richard B. Gilbert rgilbert88 at comcast.net
Wed Jun 7 01:43:20 UTC 2006


mooron at mooron.com wrote:

> Steve Kostecke wrote:
> 
>>On 2006-06-06, mooron at mooron.com <mooron at mooron.com> wrote:
>>
>>
>>>This is what I consider a minimal NTP.CONF:
>>>
>>>server x.x.x.x maxpoll 6
>>
>>ntpd automatically manages the poll period based upon a number of
>>factors. Under ideal conditions the poll period will increase to 1024
>>seconds (or 17.067 minutes).
>>
>>Forcing ntpd to poll someone elses' time server every 64 seconds is
>>considered abusive.
> 
> 
> He was talking about use on the local LAN, in which case,
> polling frequency is a non-issue.
> 
> 
>>>driftfile /etc/ntp.drift
>>>enable auth
> 
> 
> I actually got burned by this.  I had someone set up a fake
> stratum 1 server with a "peer" statement in their configuration
> and fed me bad time.  I specify it anyway just to be safe.
> 
> 
>>Authentication is enabled by default (at least for ntp 4.2.x).
>>
>>
>>>That simple configuration is all you really need in almost
>>>all cases.
>>
>>Your sample configuration is a _very_ bad example.
> 
> 
> Fine, please post what you consider to be a minimal
> configuration.

driftfile /var/ntp/ntp.drift
restrict default notrust nomodify
server <ip-address> iburst
restrict <ip-address> <ip mask> nomodify  #Address of server above.

The restrict statements say by default trust no one to give you correct 
time and allow no one to modify your ntpd parameters and to trust your 
chosen server for time.

It's not a particularly good config, just a minimal config.  To make it 
a good config, add three more servers.  A single server must be 
followed, right or wrong.  Two servers are the worst possible 
configuration.  Three ore okay but if you lose one you have only two 
left; the worst possible case.  Four servers allow ntpd to "vote out" 
one bad server if need be.  Five servers allow ntpd to vote out two bad 
servers and seven servers protect you against three of them failing 
somehow.  Few sites need the kind of reliability provided by seven 
servers and many people will encounter difficulty in finding seven good 
servers.  A log file may also be helpful.

Your chosen servers should have low round trip delay values; I prefer 
delays of less than 20 milliseconds.  This rule of thumb limits you to 
servers within two or three hundred miles of you.  Some servers, though 
physically close to you may have delays much longer than the distance 
will account for.  An example of how this sort of thing might happen: a 
site on the east coast of the US whose corporate head quarters are 
located on the west coast and their internet connection goes through the 
corporate headquarters.  So the site is two miles from you in physical 
space and 6000 miles away in net space.




More information about the questions mailing list