[ntp:questions] Restrict vs DNS lookup

Danny Mayer mayer at ntp.org
Mon Jun 7 19:07:49 UTC 2010


On 6/7/2010 4:50 AM, Hal Murray wrote:
> In article <4C0BCCFE.30602 at ntp.org>,
>  Danny Mayer <mayer at ntp.org> writes:
>> On 6/6/2010 3:24 AM, Hal Murray wrote:
>>> https://bugs.ntp.org/show_bug.cgi?id=1568
>>>
>>> Dave Hart points out that ntp-dev has a server option to the restrict
>>> command.
>>>
>>> Description here:
>>>   http://www.eecis.udel.edu/~mills/ntp/html/accopt.html
>>>
>>> Would somebody who uses restrict please check to see if this
>>> does what you want.
>>>
>> Hal,
>>
>> If this is about my suggestion to add a server option for restrict lines
>> to allow easier control of packets from servers defined in the various
>> server/pool, etc. lines then neither of these references describe that.
> 
> Both mention >restrict server<
> Yes, the part in accopt.html is hidden in the fine print.
> 

Actually they mention restrict source, not restrict server. There is
essentially no description of what this option is or what it does. There
needs to be a documentation effort to explain clear the usage and why
and when to use it.

>> The goal is to allow through packets from the servers you list even
>> though there may be other restrict lines.
> 
> I think >restrict server< will do that.
> 
> I hope somebody more familiar with restrict will double check.
> 
>> I'm not sure I understand the intention of your note.
>>
>> Danny
> 
> There have been occasional discussion here about the interactions
> of DNS with restrict.  There was one recently.  I entered the
> bug to collect thoughts and keep it from falling through the cracks.
> 
> It's possible that some work on the documentation will make
> me happy and help others avoid confusion.  I think it's simple
> after you understand it, but it took me a while to figure that
> out and I'm not really sure I've got it right.
> 
> I think part of my confusion is that there are two things
> you might want to do with restrict and DNS.
> 
> One is the case you mention, let through packets from servers that
> are looked up via DNS when your restrict line would otherwise
> block them.  I think the current code will do that.
> 
> The other possibility it to block servers from a CIDR block,
> even if you get one from DNS.  This isn't interesting if
> you trust the people running the servers you are using
> and if you don't trust them, why are you using their servers?
> But you might want to skip servers in XXX (pick your favorite
> bad guy) even if they make it into the pool.
> 

This one is not clear. If you want to specify a restriction on a block,
I seem to recall that you can use a netmask. I don't think you can do a
/24 style subnet yet unless Dave Hart has implemented that.

Danny




More information about the questions mailing list