[ntp:questions] Internal time server
castellani.riccardo at tiscali.it
Wed Mar 14 08:10:15 UTC 2007
<<You can't use "restrict default ignore" and pool servers (or any
hostnames that resolve to multiple IP addresses >>
What do you suggest me, to use server hostnames which resolve unique
IP address ?
How many servers should you insert into ntp.conf ? min. 4 ?
Steve Kostecke ha scritto:
> On 2007-03-13, RICCARDO <castellani.riccardo at tiscali.it> wrote:
> > I'm going to create my internal time server, what do you think it I
> > set ntp.conf so:
> > restrict default ignore
> You can't use "restrict default ignore" and pool servers (or any other
> hostnames that resolve to multiple IP addresses
> > restrict 127.0.0.1
> > restrict 1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery
> > notrap
> > #for stratum 1 time server
> > restrict 188.8.131.52 mask 255.255.255.0 nomodify noquery notrap
> > #for clients
> > server 1.it.pool.ntp.org
> > #time server of stratum 1
> The 1 on that server line does not mean that you will get a stratum-1
> time server.
> If you wish to use the it.pool.ntp.org zone you should follow the
> instructions at http://www.pool.ntp.org/zone/it
> > driftfile /var/lib/ntp/drift
> Here's what your ntp.conf ought to look like (if you are using the
> it.pool zone):
> # General settings
> driftfile /var/lib/ntp/drift
> # Default restriction - time service only
> restrict default nomodify nopeer notrap noquery
> restrict 127.0.0.1
> # Authorized Clients - are allowed time service and status queries
> restrict 184.108.40.206 mask 255.255.255.0 nomodify nopeer notrap
> # Remote time servers from the it.pool.ntp.org zone
> server 2.it.pool.ntp.org iburst
> server 0.europe.pool.ntp.org iburst
> server 2.europe.pool.ntp.org iburst
> > I noted that if I set bad time my server , ntpd service synchronizes
> > it correctly but how it's possibile if it's set "restrict
> > 1.europe.pool.ntp.org mask 255.255.255.255 nomodify noquery notrap" ?
> > should "Nomodify" option avoid to change status of my internal server
> > (time should not be set) ?
> nomodify has nothing to do with time service.
> nomodify ==> "Deny ntpq and ntpdc queries which attempt to modify the
> state of the server (i.e., run time reconfiguration). Queries which
> return information are permitted."
> Remote modifications of ntpd require either (a) the use of symmetric
> keys or (b) that you completely disable authentication. So your ntpd
> can't be modified remotely unless you configure satisfy (a) or (b).
> nomodify blocks remote modifications even if someone has the symmetric
> key(s) or, I believe, if authentication is disabled.
> Steve Kostecke <kostecke at ntp.isc.org>
> NTP Public Services Project - http://ntp.isc.org/
More information about the questions