[ntp:questions] Need help for IPv6 setup

Dave Hart hart at ntp.org
Tue May 29 15:54:10 UTC 2012


On Tue, May 29, 2012 at 1:37 PM, Nicolas Braud-Santoni wrote:
> I noticed my NTP server isn't usable over IPv6, despite it being
> pingable over IPv6.
> I checked that it's not a firewall problem (actually disabled iptables
> for checking this).
>
> Here is ntp's configuration :
> # /etc/ntp.conf, configuration for ntpd; see ntp.conf(5) for help
> listen-on ipv4 accept
> listen-on ipv6 accept

Both of the listen-on lines are nonfunctional and should be logging a
syntax error apiece.  There is a "interface" command that could be
used to customize listening addresses.  There's no reason to use it in
this case, as the default is to listen on all addresses.

> driftfile /var/lib/ntp/ntp.drift
>
> # Peers[...]
>
> setvar access_policy = "open access" default
> restrict -4 default kod notrap nomodify nopeer noquery
> restrict -6 default kod notrap nomodify nopeer noquery

With 4.2.6 and later the above two lines can be combined into one with
no -4 or -6 with the same effect.  Earlier versions defaulted to -4,
in effect, now unqualified default restrictions apply equally to both
protocols.

> # Local users may interrogate the ntp server more closely.
> restrict 127.0.0.1
> restrict ::1
>
> Here is some relevant information :
> # netstat -lp | grep ntp
> udp        0      0 <mydomain>:ntp *:*
> 22047/ntpd
> udp        0      0 localhost.localdoma:ntp
> *:*                                 22047/ntpd
> udp        0      0 *:ntp
> *:*                                 22047/ntpd
> udp6       0      0 [::]:ntp
> [::]:*                              22047/ntpd

Using netstat -nlp may be more appropriate here.  Assuming the first
line represents the sole (non-localhost) IPv4 address, there are a few
lines missing, one for each non-localhost IPv6 address.

Given [::] is being used, ntpd wasn't compiled with IPv6 support disabled.

> # ntpd --version
> ntpd - NTP daemon program - Ver. 4.2.6p2
>
> Here is a test from another IPv6-enabled box :
>
> # ping6 2001:41d0:8:12c7::dead:bebe
> PING 2001:41d0:8:12c7::dead:bebe(2001:41d0:8:12c7::dead:bebe) 56 data
> bytes
> 64 bytes from 2001:41d0:8:12c7::dead:bebe: icmp_seq=1 ttl=61
> time=0.480 ms
> 64 bytes from 2001:41d0:8:12c7::dead:bebe: icmp_seq=2 ttl=61
> time=0.334 ms
> [...]
>
> # ntpdate -qd 2001:41d0:8:12c7::dead:bebe
> 29 May 15:28:32 ntpdate[17761]: ntpdate 4.2.6p2 at 1.2194-o Sun Oct 17
> 13:35:14 UTC 2010 (1)
> transmit(2001:41d0:8:12c7::dead:bebe)
> transmit(2001:41d0:8:12c7::dead:bebe)
> transmit(2001:41d0:8:12c7::dead:bebe)
> transmit(2001:41d0:8:12c7::dead:bebe)
> transmit(2001:41d0:8:12c7::dead:bebe)
> 2001:41d0:8:12c7::dead:bebe: Server dropped: no data
> server 2001:41d0:8:12c7::dead:bebe, port 123
> stratum 0, precision 0, leap 00, trust 000
> refid [2001:41d0:8:12c7::dead:bebe], delay 0.00000, dispersion
> 64.00000
> transmitted 4, in filter 4
> reference time:    00000000.00000000  Mon, Jan  1 1900  0:09:21.000
> originate timestamp: 00000000.00000000  Mon, Jan  1 1900  0:09:21.000
> transmit timestamp:  d36f4d87.176c5e40  Tue, May 29 2012 15:28:39.091
> filter delay:  0.00000  0.00000  0.00000  0.00000
>         0.00000  0.00000  0.00000  0.00000
> filter offset: 0.000000 0.000000 0.000000 0.000000
>         0.000000 0.000000 0.000000 0.000000
> delay 0.00000, dispersion 64.00000
> offset 0.000000
>
> 29 May 15:28:41 ntpdate[17761]: no server suitable for synchronization
> found

This is expected given ntpd isn't listening on the global IPv6 address.

> The same thing happens in local, using either
> 2001:41d0:8:12c7::dead:bebe or ::1.

I would expect it to work locally against [::], though.  Let me know
if it doesn't.

Check your syslog for startup-time ntpd messages.  It should show each
local address being used, and may have an error message related to
failing to enumerate local IPv6 addresses, if we're lucky.  If not,
you may want to try stopping the daemon ntpd after noting its command
line options, then run it from an interactive root shell with -D4
added to the options, and possibly with the output redirected or tee'd
to a file.  You should see copious output from the local address
(likely referred to as "interface") enumeration.  Buried in there may
be error messages indicating the problem enumerating or using the
non-localhost IPv6 addresses.

Good luck,
Dave Hart


More information about the questions mailing list