[ntp:questions] Servers with identical ntp.conf keep falling out of sync
Richard B. Gilbert
rgilbert88 at comcast.net
Wed Jan 17 16:06:02 UTC 2007
shoppa at trailing-edge.com wrote:
> Steve Kostecke wrote:
>>On 2007-01-16, Gushi <google at gushi.org> wrote:
>>>restrict default ignore
>>This won't work at all. You've told ntpd to ignore all NTP packets from
>>any possible source. And you've not told it to accept NTP packets from
>>your time servers.
>>Please read http://ntp.isc.org/Support/AccessRestrictions and follow the
>>"decision tree" for setting your default restriction.
> Maybe someone can educate me (and Steve you've done a good job at this
> in the past), but I see the "I've restricted even the servers I
> specified from telling me what time it is" question come up regularly
> in these discussions. Is there some website, or some old set of man
> pages, or some popular book, or something out there that causes this
> same question to occur over and over and over again?
I think it's just the documentation and the way people treat it. They
read just enough to find out how to write a restrict statement or they
copy all the restrict statements from several examples. The
documentation DOES explain what these statements do. It DOES give some
advice on how to do it right. People come from the Windoze world with
the idea that "I've got to lock this down so no one, anywhere, can hack
it." Of course they're in a hurry to get it working. . . .
It doesn't help that the semantics of "restrict notrust" changed between
4.0 and 4.1. It would have been far better to introduce a new keyword.
I never had a problem with restrict statements but I read and understood
the documentation before I wrote my first one.
More information about the questions