[ntp:questions] Re: ntpd polling server every second

graham graham at no.spam.thanks
Sun Apr 9 20:07:37 UTC 2006


Steve Kostecke wrote:
> On 2006-04-09, graham <graham at no.spam.thanks> wrote:
> 
>>    server <my ISP's ntp server>
>>    driftfile /etc/ntp/drift
>>    restrict default noquery notrust nomodify
>>    restrict 127.0.0.1
>>
>> the daemon server was querying the ISP server every second.
>> When I later modified the default restrict to "ignore" it behaved as 
>> expected (ie. every 2^6 seconds).
> 
> 'restrict default ignore' tells ntpd to ignore NTP packets from
> _EVERYONE_ (even your ISP's ntp server). 
> 
>> If it makes a difference this is ntpd version 4.2.0.
> 
> notrust, for ntpd 4.2.x, means "ignore NTP packets that are not
> cryptographically authenticated."
> 

Oops, yes, missed out "restrict noquery nomodify" for the ISP NTP server 
(it's not cryptographically securing its packets, afaik - I'd presumably 
have had to configure a key if it was).

So file should have read

     server <my ISP's ntp server>
     restrict <my ISP's ntp server> noquery nomodify
     driftfile /etc/ntp/drift
     restrict default noquery notrust nomodify
     restrict 127.0.0.1

With the config as shown ntpd queries the ISP server every second; ntpd 
-q bangs on for ages (querying ~every second); fails to set the time 
correctly;

Changing the default to "ignore"... ntpd queries the ISP server roughly 
every 60 secs; ntpd -q fails to set the time correctly.

Commenting out the "restrict default" line entirely makes it behave!

Thoroughly confused, and goodness knows what security restrictions it's 
applying.





More information about the questions mailing list