[ntp:questions] Internal time server

RICCARDO castellani.riccardo at tiscali.it
Wed Mar 14 08:10:15 UTC 2007


<<You can't use "restrict default ignore" and pool servers (or any
other
hostnames that resolve to multiple IP addresses >>

What do you suggest me, to use server hostnames which resolve unique
IP address  ?
How many servers should you insert into ntp.conf ? min. 4 ?



Steve Kostecke ha scritto:

> On 2007-03-13, RICCARDO <castellani.riccardo at tiscali.it> wrote:
>
> > I'm going to create my internal time server, what do you think it I
> > set ntp.conf so:
>
> > restrict default ignore
>
> You can't use "restrict default ignore" and pool servers (or any other
> hostnames that resolve to multiple IP addresses
>
> > restrict 127.0.0.1
> > restrict 1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery
> > notrap
> > #for stratum 1 time server
> >
> > restrict 196.200.3.0 mask 255.255.255.0 nomodify noquery notrap
> > #for clients
> >
> > server 1.it.pool.ntp.org
> > #time server of stratum 1
>
> The 1 on that server line does not mean that you will get a stratum-1
> time server.
>
> If you wish to use the it.pool.ntp.org zone you should follow the
> instructions at http://www.pool.ntp.org/zone/it
>
> > driftfile /var/lib/ntp/drift
>
> Here's what your ntp.conf ought to look like (if you are using the
> it.pool zone):
>
> # General settings
> driftfile /var/lib/ntp/drift
>
> # Default restriction - time service only
> restrict default nomodify nopeer notrap noquery
> restrict 127.0.0.1
>
> # Authorized Clients - are allowed time service and status queries
> restrict 196.200.3.0 mask 255.255.255.0 nomodify nopeer notrap
>
> # Remote time servers from the it.pool.ntp.org zone
> server 2.it.pool.ntp.org iburst
> server 0.europe.pool.ntp.org iburst
> server 2.europe.pool.ntp.org iburst
>
> > I noted that if I set bad time my server , ntpd service synchronizes
> > it correctly but how it's possibile if it's set "restrict
> > 1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery notrap" ?
> > should "Nomodify" option avoid to change status of my internal server
> > (time should not be set) ?
>
> nomodify has nothing to do with time service.
>
> nomodify ==> "Deny ntpq and ntpdc queries which attempt to modify the
> state of the server (i.e., run time reconfiguration). Queries which
> return information are permitted."
>
> Remote modifications of ntpd require either (a) the use of symmetric
> keys or (b) that you completely disable authentication. So your ntpd
> can't be modified remotely unless you configure satisfy (a) or (b).
>
> nomodify blocks remote modifications even if someone has the symmetric
> key(s) or, I believe, if authentication is disabled.
>
> --
> Steve Kostecke <kostecke at ntp.isc.org>
> NTP Public Services Project - http://ntp.isc.org/




More information about the questions mailing list