[ntp:questions] 4.2a headaches
Williams, Jeffrey
jeff at sailorfej.net
Thu Jan 5 06:55:13 UTC 2006
Hi folks,
I am having some interesting issues with the newer implementation of ntp
4.2 versus 4.1.
Ok, trying to configure a local timeserver on my network (with both
public and private subnets) that sync's from the public ntp pool and/or
other stratum 1 and 2 public timeservers, which then other machines on
my network will use as their timeserver, however since my internet
connection is not the fastest, not to mention I have other uses for it,
I don't want to allow open access to my timeserver.
Now under 4.1 here is what my primary timeserver's ntp.conf looked like
(where 1.2.3.4 and 5.6.7.8 are subnets I want to allow to use my
timeserver):
server timeserver1.somedomain.com
server timeserver2.somedomain.com
server timeserver3.somedomain.com
server timeserver4.somedomain.com
server timeserver5.somedomain.com
driftfile /var/db/ntp.drift
restrict default noserve notrap nomodify
restrict 1.2.3.4 mask 255.255.255.248 nomodify notrap
restrict 5.6.7.8 mask 255.255.255.248 nomodify notrap
restrict 127.0.0.1
Now this configuration does not work under 4.2, and from what I can
gather from the documentation, this is on purpose, and under the new
rules, you have to add a explicit "restrict" line for each server entry.
And from my testing this seems to be true, restrict defaults of
"noserve" and/or "ignore" block sync with the previous listed
timeservers unless I eliminate the restrict entries altogether, or
specifically list the each server entries IP address with its own
restrict line.
The problem is that you can't use hostnames in a restrict line, and the
reason we use hostname on server lines is so a hosting party can move
the time service to a different IP address with out disrupting
timeservice, not to mention for obvious reasons specific IP listings
won't work if you want to use the ntp.org ntp server pools. So if you
want to sync with pool timeservers and/or use only host names to sync
with specific public timeservers you have to allow open access to your
time server?
So is this the way it is supposed to work? am I making a stupid mistake?
or is this a bug in 4.2?
More information about the questions
mailing list