[ntp:questions] 4.2a headaches

Williams, Jeffrey jeff at sailorfej.net
Thu Jan 5 06:55:13 UTC 2006


Hi folks,

I am having some interesting issues with the newer implementation of ntp 
4.2 versus 4.1.

Ok, trying to configure a local timeserver on my network (with both 
public and private subnets) that sync's from the public ntp pool and/or 
other stratum 1 and 2 public timeservers, which then other machines on 
my network will use as their timeserver, however since my internet 
connection is not the fastest, not to mention I have other uses for it, 
I don't want to allow  open access to my timeserver.

Now under 4.1 here is what my primary timeserver's ntp.conf looked like 
(where 1.2.3.4 and 5.6.7.8 are subnets I want to allow to use my 
timeserver):

server timeserver1.somedomain.com
server timeserver2.somedomain.com
server timeserver3.somedomain.com
server timeserver4.somedomain.com
server timeserver5.somedomain.com

driftfile /var/db/ntp.drift

restrict default noserve notrap nomodify
restrict 1.2.3.4 mask 255.255.255.248 nomodify notrap
restrict 5.6.7.8 mask 255.255.255.248 nomodify notrap
restrict 127.0.0.1

Now this configuration does not work under 4.2, and from what I can 
gather from the documentation, this is on purpose, and under the new 
rules, you have to add a explicit "restrict" line for each server entry.

And from my testing this seems to be true, restrict defaults of 
"noserve" and/or "ignore" block sync with the previous listed 
timeservers unless I eliminate the restrict entries altogether, or 
specifically list the each server entries IP address with its own 
restrict line.

The problem is that you can't use hostnames in a restrict line, and the 
reason we use hostname on server lines is so a hosting party can move 
the time service to a different IP address with out disrupting 
timeservice, not to mention for obvious reasons specific IP listings 
won't work if you want to use the ntp.org ntp server pools.  So if you 
want to sync with pool timeservers and/or use only host names to sync 
with specific public timeservers you have to allow open access to your 
time server?

So is this the way it is supposed to work? am I making a stupid mistake? 
or is this a bug in 4.2?




More information about the questions mailing list