[ntp:questions] Servers with identical ntp.conf keep falling out of sync

Richard B. Gilbert rgilbert88 at comcast.net
Wed Jan 17 16:06:02 UTC 2007

shoppa at trailing-edge.com wrote:

> Steve Kostecke wrote:
>>On 2007-01-16, Gushi <google at gushi.org> wrote:
>>>restrict default ignore
>>>server 0.us.pool.ntp.org
>>>server 1.us.pool.ntp.org
>>>server 2.us.pool.ntp.org
>>This won't work at all. You've told ntpd to ignore all NTP packets from
>>any possible source. And you've not told it to accept NTP packets from
>>your time servers.
>>Please read http://ntp.isc.org/Support/AccessRestrictions and follow the
>>"decision tree" for setting your default restriction.
> Maybe someone can educate me (and Steve you've done a good job at this
> in the past), but I see the "I've restricted even the servers I
> specified from telling me what time it is" question come up regularly
> in these discussions. Is there some website, or some old set of man
> pages, or some popular book, or something out there that causes this
> same question to occur over and over and over again?
> Tim.

I think it's just the documentation and the way people treat it.  They 
read just enough to find out how to write a restrict statement or they 
copy all the restrict statements from several examples.  The 
documentation DOES explain what these statements do.  It DOES give some 
advice on how to do it right.  People come from the Windoze world with 
the idea that "I've got to lock this down so no one, anywhere, can hack 
it."  Of course they're in a hurry to get it working. . . .

It doesn't help that the semantics of "restrict notrust" changed between 
4.0 and 4.1.  It would have been far better to introduce a new keyword.

I never had a problem with restrict statements but I read and understood 
the documentation before I wrote my first one.

More information about the questions mailing list