[ntp:questions] Re: ntpd polling server every second
graham
graham at no.spam.thanks
Sun Apr 9 20:07:37 UTC 2006
Steve Kostecke wrote:
> On 2006-04-09, graham <graham at no.spam.thanks> wrote:
>
>> server <my ISP's ntp server>
>> driftfile /etc/ntp/drift
>> restrict default noquery notrust nomodify
>> restrict 127.0.0.1
>>
>> the daemon server was querying the ISP server every second.
>> When I later modified the default restrict to "ignore" it behaved as
>> expected (ie. every 2^6 seconds).
>
> 'restrict default ignore' tells ntpd to ignore NTP packets from
> _EVERYONE_ (even your ISP's ntp server).
>
>> If it makes a difference this is ntpd version 4.2.0.
>
> notrust, for ntpd 4.2.x, means "ignore NTP packets that are not
> cryptographically authenticated."
>
Oops, yes, missed out "restrict noquery nomodify" for the ISP NTP server
(it's not cryptographically securing its packets, afaik - I'd presumably
have had to configure a key if it was).
So file should have read
server <my ISP's ntp server>
restrict <my ISP's ntp server> noquery nomodify
driftfile /etc/ntp/drift
restrict default noquery notrust nomodify
restrict 127.0.0.1
With the config as shown ntpd queries the ISP server every second; ntpd
-q bangs on for ages (querying ~every second); fails to set the time
correctly;
Changing the default to "ignore"... ntpd queries the ISP server roughly
every 60 secs; ntpd -q fails to set the time correctly.
Commenting out the "restrict default" line entirely makes it behave!
Thoroughly confused, and goodness knows what security restrictions it's
applying.
More information about the questions
mailing list