[ntp:questions] Re: restrict lines

Brian Utterback brian.utterback at sun.removeme.com
Wed Mar 16 18:12:28 UTC 2005


Danny Mayer wrote:
> Guys, give it a break. There are no points to be gained or lost here.
> The fact is that the internet uses names, or would you prefer to send
> mail to 204.152.184.126 to respond to these mailing lists?
> 
> The restrict statements need to use IP addresses. For some servers
> like pool.ntp.org it makes sense to use the name and not the IP
> address as you never know what you are going to get.
> 
> The proper way to do this is to have the servers' IP addresses returned
> by DNS automatically be added to the allowed list so it will be
> unnecessary to add restrict lines for them. If you've asked that those
> servers be used to send you packets you better be prepared to receive
> them. It's on my list of things to implement. This makes this whole
> conversation moot.
> 
> Danny
> 

I am not sure that the problem is moot, even so. It suggests to me
that the server/peer line should allow a "restrict" modifier, that
applies to any IP resolved by that line. While it makes sense to
force a client to accept time from a configured server, it might
make sense to allow query requests from the server to the client
as well. But not everyone will want that. So, the only reasonable
general solution is to control this on a line by line basis.

Of course, if i had ny druthers, I would have those lines be
additive rather than suptractive. I think something like
server pool.ntp.org allow trust,query
to make more sense than the current paradigm of subtractives:

server pool.ntp.org restrict default,nomodify



-- 
blu

If you put a submarine in a blender...
----------------------------------------------------------------------
Brian Utterback - OP/N1 RPE, Sun Microsystems, Inc.
Ph:877-259-7345, Em:brian.utterback-at-ess-you-enn-dot-kom



More information about the questions mailing list