[ntp:questions] Restrict vs DNS lookup

Hal Murray hal-usenet at ip-64-139-1-69.sjc.megapath.net
Mon Jun 7 08:50:42 UTC 2010


In article <4C0BCCFE.30602 at ntp.org>,
 Danny Mayer <mayer at ntp.org> writes:
>On 6/6/2010 3:24 AM, Hal Murray wrote:
>> https://bugs.ntp.org/show_bug.cgi?id=1568
>> 
>> Dave Hart points out that ntp-dev has a server option to the restrict
>> command.
>> 
>> Description here:
>>   http://www.eecis.udel.edu/~mills/ntp/html/accopt.html
>> 
>> Would somebody who uses restrict please check to see if this
>> does what you want.
>> 
>Hal,
>
>If this is about my suggestion to add a server option for restrict lines
>to allow easier control of packets from servers defined in the various
>server/pool, etc. lines then neither of these references describe that.

Both mention >restrict server<
Yes, the part in accopt.html is hidden in the fine print.

>The goal is to allow through packets from the servers you list even
>though there may be other restrict lines.

I think >restrict server< will do that.

I hope somebody more familiar with restrict will double check.

>I'm not sure I understand the intention of your note.
>
>Danny

There have been occasional discussion here about the interactions
of DNS with restrict.  There was one recently.  I entered the
bug to collect thoughts and keep it from falling through the cracks.

It's possible that some work on the documentation will make
me happy and help others avoid confusion.  I think it's simple
after you understand it, but it took me a while to figure that
out and I'm not really sure I've got it right.

I think part of my confusion is that there are two things
you might want to do with restrict and DNS.

One is the case you mention, let through packets from servers that
are looked up via DNS when your restrict line would otherwise
block them.  I think the current code will do that.

The other possibility it to block servers from a CIDR block,
even if you get one from DNS.  This isn't interesting if
you trust the people running the servers you are using
and if you don't trust them, why are you using their servers?
But you might want to skip servers in XXX (pick your favorite
bad guy) even if they make it into the pool.

I think I'd be happy as documentating the latter case as not
working.


-- 
These are my opinions, not necessarily my employer's.  I hate spam.




More information about the questions mailing list