[ntp:questions] Restrict vs DNS lookup

Danny Mayer mayer at ntp.org
Mon Jun 7 19:07:49 UTC 2010

On 6/7/2010 4:50 AM, Hal Murray wrote:
> In article <4C0BCCFE.30602 at ntp.org>,
>  Danny Mayer <mayer at ntp.org> writes:
>> On 6/6/2010 3:24 AM, Hal Murray wrote:
>>> https://bugs.ntp.org/show_bug.cgi?id=1568
>>> Dave Hart points out that ntp-dev has a server option to the restrict
>>> command.
>>> Description here:
>>>   http://www.eecis.udel.edu/~mills/ntp/html/accopt.html
>>> Would somebody who uses restrict please check to see if this
>>> does what you want.
>> Hal,
>> If this is about my suggestion to add a server option for restrict lines
>> to allow easier control of packets from servers defined in the various
>> server/pool, etc. lines then neither of these references describe that.
> Both mention >restrict server<
> Yes, the part in accopt.html is hidden in the fine print.

Actually they mention restrict source, not restrict server. There is
essentially no description of what this option is or what it does. There
needs to be a documentation effort to explain clear the usage and why
and when to use it.

>> The goal is to allow through packets from the servers you list even
>> though there may be other restrict lines.
> I think >restrict server< will do that.
> I hope somebody more familiar with restrict will double check.
>> I'm not sure I understand the intention of your note.
>> Danny
> There have been occasional discussion here about the interactions
> of DNS with restrict.  There was one recently.  I entered the
> bug to collect thoughts and keep it from falling through the cracks.
> It's possible that some work on the documentation will make
> me happy and help others avoid confusion.  I think it's simple
> after you understand it, but it took me a while to figure that
> out and I'm not really sure I've got it right.
> I think part of my confusion is that there are two things
> you might want to do with restrict and DNS.
> One is the case you mention, let through packets from servers that
> are looked up via DNS when your restrict line would otherwise
> block them.  I think the current code will do that.
> The other possibility it to block servers from a CIDR block,
> even if you get one from DNS.  This isn't interesting if
> you trust the people running the servers you are using
> and if you don't trust them, why are you using their servers?
> But you might want to skip servers in XXX (pick your favorite
> bad guy) even if they make it into the pool.

This one is not clear. If you want to specify a restriction on a block,
I seem to recall that you can use a netmask. I don't think you can do a
/24 style subnet yet unless Dave Hart has implemented that.


More information about the questions mailing list