[ntp:questions] Re: ntpd, boot time, and hot plugging
Brad Knowles
brad at stop.mail-abuse.org
Sun Feb 6 20:29:51 UTC 2005
At 3:01 PM -0500 2005-02-06, Tom Smith wrote:
> I think what your experiment actually showed was that if you
> make both dependent on DNS timeouts, you can make ntpdate as
> slow as ntpd at this task.
No, my results clearly show that ntpdate is roughly as slow (or
slower) than ntpd on startup for comparable sets of servers,
independent of DNS slowdowns.
> A lot of folks don't depend on DNS in the first place and
> place critical servers in /etc/hosts (or in very secure
> environments use only /etc/hosts). With respect to ntpd,
> a lot of folks use IP addresses in ntp.conf instead of
> names if there is any doubt about DNS server availability.
As we know, IP addresses of servers can change. And when you're
talking about services like pool.ntp.org, since you're using a DNS
round-robin "rotor", the IP addresses are supposed to change on every
query.
So, just using IP addresses alone does not work in the general
case. Indeed, with the recent changes in the Debian, Gentoo,
OpenBSD, NetBSD, and FreeBSD camps, I would submit that there are
probably now more people who are dependant on using pool.ntp.org than
have ever previously hand-coded their own ntp.conf and plugged in
primarily servers by IP address or which were specified in their
/etc/hosts. Then add to that all the MacOS X clients that are using
a time server provided by Apple, and the Windows clients that are
using a time server provided by Microsoft, and you push out the
numbers of DNS-dependant clients much, much further.
If you want to compare carefully created hand-crafted
configurations to anything else, you can show anything you want.
That's a clear case of rigging the jury.
> And if you feed ntpd only one server, or only three servers, and
> one or more of those servers is down, you can just as well
> be just as seriously toasted with ntpd. Dumb is dumb whether
> you're using a hammer or a screwdriver.
If you want to make a tool analogy, try the model of a Yankee
screwdriver as compared to a regular one, or a power model. Anyone
who has ever used a Yankee screwdriver knows that they can be
powerful and faster than a regular model, but they are also much more
likely to seriously injure you than either a regular screwdriver or
an electric one, exclusively because of the inherent design
differences.
Experience teaches us that ntpdate is far more likely to be
abused in stupid ways than ntpd, although stupidity with either can
be fatal.
> The data in fact show that ntpdate in fact made adjustments closer
> to zero to an already stable time than ntpd in all but one case.
No, the data doesn't show that. Your data is clearly different
from my data, and I've gone to significant lengths to try to make the
comparisons as clear and simple as possible.
> What I beieve is that you should let Dave speak for himself and let
> carefully chosen and presented data speak for you. Like Dave, I prefer
> to base opinions on actual data, and, like Dave, I tend to place more
> faith in opinions similarly supported.
Well, we've got some actual data here, and I don't see any
practical advantage to using ntpdate over ntpd.
>> I am not convinced that these are design goals that can be made
>> to be compatible.
>
> Oh ye of little faith.
You're always welcome to step up to the plate and contribute code
which proves your claims. This is an open source project, after all.
--
Brad Knowles, <brad at stop.mail-abuse.org>
"Those who would give up essential Liberty, to purchase a little
temporary Safety, deserve neither Liberty nor Safety."
-- Benjamin Franklin (1706-1790), reply of the Pennsylvania
Assembly to the Governor, November 11, 1755
SAGE member since 1995. See <http://www.sage.org/> for more info.
More information about the questions
mailing list